[dns-operations] DNS Attack over UDP fragmentation

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Sep 5 09:10:39 UTC 2013

On Wed, Sep 04, 2013 at 06:02:20PM +0200,
 Jaroslav Benkovský <jaroslav.benkovsky at nic.cz> wrote 
 a message of 23 lines which said:

> the authors mention that the recommendation for IP-ID on IPv6 is a
> sequential value,

IMHO, RFC 2460, section 4.5 is badly wrong, security-wise, because of
that. As Francis said,
addresses that.

Fortunately, actual operating systems do not follow RFC 2460 and have
unpredictable ID. To assess your system, I strongly recommend the
excellent tool SI6 toolkit

> Also some implementations on IPv4 use sequential value or per
> destination counters.

That's perfect. We talk about blind attacks here, where the attacker
spoofs the source IP address and therefore cannot receive the
answers. So, PDC (per-destination counters) are OK.

More information about the dns-operations mailing list