[dns-operations] DNS Attack over UDP fragmentation

Ondřej Surý ondrej.sury at nic.cz
Wed Sep 4 14:53:51 UTC 2013


> On 4. 9. 2013, at 16:50, Jim Reid <jim at rfc1035.com> wrote:
> 
> On 4 Sep 2013, at 15:40, Ondřej Surý <ondrej.sury at nic.cz> wrote:
> 
>>> Check also ICMP "packet too big" coming in with ridiculous sizes, they
>>> might be the sign that someone is trying the Shulman attack.
>> 
>> True, but again, that might work for us, but not for average DNS operator.
> 
> Indeed. But who is more likely to be the target of this type of attack Ondřej, a TLD with decent DNS infrastructure or the name server for jimswebsite.com? AFAIK the average DNS operator was not targeted for the 9K ANY attacks. At least not yet.

Personally I would pick the incumbent ISP and a major banks DNS operators;).

O.


More information about the dns-operations mailing list