[dns-operations] DNS Attack over UDP fragmentation

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Sep 4 13:47:32 UTC 2013


On Wed, Sep 04, 2013 at 03:08:55PM +0200,
 Ondřej Surý <ondrej.sury at nic.cz> wrote 
 a message of 81 lines which said:

> So what are the views of other people on this list?

[Total noob just going back from holidays and therefore even less
competent as usual.]

Isn't is a good idea to limit the maximum size of the response, like
.com/.net (and may be other TLD: examples welcome) do? This will make
the attack more difficult.

With IPv6, limiting to 1280 bytes completely prevent fragmentation.

With IPv4, limiting to the minimum size of IPv4 datagrams is really
too harsh and the attacker may trigger fragmentation by sending
spoofed ICMP "packet too big". A possible solution is simply to deploy
IPv6 faster :-)





More information about the dns-operations mailing list