[dns-operations] DNS Attack over UDP fragmentation
Yasuhiro Orange Morishita / 森下泰宏
yasuhiro at jprs.co.jp
Wed Sep 4 14:01:43 UTC 2013
Hello,
> > So, we might set max-udp-size to 1220 for preventing UDP
> > fragmentation.
>
> But, in IPv4, the attacker can send spoofed ICMP "packet too big"
> messages to decrease the size of the path MTU, as seen by the DNS
> server.
RELNOTES of NSD 3.2.9 describes the following,
we may separate max-udp-size value for IPv4 and for IPv6.
-- Orange
> NSD 3.2.9
>
> The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4),
> 1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is
> smaller than the EDNS default.
From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Date: Wed, 4 Sep 2013 15:55:22 +0200
> On Wed, Sep 04, 2013 at 10:45:42PM +0900,
> Yasuhiro Orange Morishita / 森下泰宏 <yasuhiro at jprs.co.jp> wrote
> a message of 38 lines which said:
>
> > So, we might set max-udp-size to 1220 for preventing UDP
> > fragmentation.
>
> But, in IPv4, the attacker can send spoofed ICMP "packet too big"
> messages to decrease the size of the path MTU, as seen by the DNS
> server.
>
> I do not find an equivalent of RFC 5927 for UDP. I assume (I didn't
> check) that UDP stacks implement similar protections (some suggestions
> of RFC 59267 are very TCP-specific such as checking the sequence
> number) but it would be interesting to study this possible attack in
> depth.
>
More information about the dns-operations
mailing list