[dns-operations] DNS Attack over UDP fragmentation
Ondřej Surý
ondrej.sury at nic.cz
Wed Sep 4 14:50:03 UTC 2013
BTW just to complete my question in first email - is there a agreement that this is serious and needs to be addressed?
I am still wondering why this have slipped under the radar for so long (the original paper was published last year).
Ondřej Surý
> On 4. 9. 2013, at 15:47, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
> On Wed, Sep 04, 2013 at 03:08:55PM +0200,
> Ondřej Surý <ondrej.sury at nic.cz> wrote
> a message of 81 lines which said:
>
>> So what are the views of other people on this list?
>
> [Total noob just going back from holidays and therefore even less
> competent as usual.]
>
> Isn't is a good idea to limit the maximum size of the response, like
> .com/.net (and may be other TLD: examples welcome) do? This will make
> the attack more difficult.
>
> With IPv6, limiting to 1280 bytes completely prevent fragmentation.
>
> With IPv4, limiting to the minimum size of IPv4 datagrams is really
> too harsh and the attacker may trigger fragmentation by sending
> spoofed ICMP "packet too big". A possible solution is simply to deploy
> IPv6 faster :-)
>
>
More information about the dns-operations
mailing list