[dns-operations] DNS Attack over UDP fragmentation

Ondřej Surý ondrej.sury at nic.cz
Wed Sep 4 14:40:28 UTC 2013


On 4. 9. 2013, at 16:33, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Wed, Sep 04, 2013 at 04:04:13PM +0200,
> Ondřej Surý <ondrej.sury at nic.cz> wrote 
> a message of 93 lines which said:
> 
>>> Isn't is a good idea to limit the maximum size of the response,
>>> like .com/.net (and may be other TLD: examples welcome) do? This
>>> will make the attack more difficult.
>> 
>> That could work, but what EDNS0 buffer size to pick?  
> 
> .com/.net does it apparently around 1400 bytes, which certainly covers
> the vast majority of Internet paths.

But they have 1400 with fragmentation allowed, right?  That doesn't really answer the question, does it?

>> And how to push this to end users?
> 
> Why? They don't need it (otherwise, .com would not work and we would
> have noticed :-)

Err, I ment DNS server operators (I guess I was writing it with my DNS vendor hat on).

>> We are currently looking at our DNS data for fragments (and their
>> sizes), so it might give us some hints.
> 
> Check also ICMP "packet too big" coming in with ridiculous sizes, they
> might be the sign that someone is trying the Shulman attack.

True, but again, that might work for us, but not for average DNS operator.

O.
--
 Ondřej Surý -- Chief Science Officer
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury at nic.cz    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130904/352b92e1/attachment.sig>


More information about the dns-operations mailing list