[dns-operations] DNS Attack over UDP fragmentation

Ondřej Surý ondrej.sury at nic.cz
Wed Sep 4 14:50:03 UTC 2013

BTW just to complete my question in first email - is there a agreement that this is serious and needs to be addressed?

I am still wondering why this have slipped under the radar for so long (the original paper was published last year).

Ondřej Surý

> On 4. 9. 2013, at 15:47, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Wed, Sep 04, 2013 at 03:08:55PM +0200,
> Ondřej Surý <ondrej.sury at nic.cz> wrote 
> a message of 81 lines which said:
>> So what are the views of other people on this list?
> [Total noob just going back from holidays and therefore even less
> competent as usual.]
> Isn't is a good idea to limit the maximum size of the response, like
> .com/.net (and may be other TLD: examples welcome) do? This will make
> the attack more difficult.
> With IPv6, limiting to 1280 bytes completely prevent fragmentation.
> With IPv4, limiting to the minimum size of IPv4 datagrams is really
> too harsh and the attacker may trigger fragmentation by sending
> spoofed ICMP "packet too big". A possible solution is simply to deploy
> IPv6 faster :-)

More information about the dns-operations mailing list