[dns-operations] DNS Attack over UDP fragmentation

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Sep 4 14:33:17 UTC 2013

On Wed, Sep 04, 2013 at 04:04:13PM +0200,
 Ondřej Surý <ondrej.sury at nic.cz> wrote 
 a message of 93 lines which said:

> > Isn't is a good idea to limit the maximum size of the response,
> > like .com/.net (and may be other TLD: examples welcome) do? This
> > will make the attack more difficult.
> That could work, but what EDNS0 buffer size to pick?  

.com/.net does it apparently around 1400 bytes, which certainly covers
the vast majority of Internet paths.

> And how to push this to end users?

Why? They don't need it (otherwise, .com would not work and we would
have noticed :-)

> We are currently looking at our DNS data for fragments (and their
> sizes), so it might give us some hints.

Check also ICMP "packet too big" coming in with ridiculous sizes, they
might be the sign that someone is trying the Shulman attack.

More information about the dns-operations mailing list