[dns-operations] DNS Attack over UDP fragmentation

Paul Ferguson fergie at people.ops-trust.net
Thu Sep 5 10:06:10 UTC 2013

On 9/4/2013 7:57 AM, Ondřej Surý wrote:

>> Check also ICMP "packet too big" coming in with ridiculous sizes, they
>> might be the sign that someone is trying the Shulman attack.
> JFTR It's one ICMP packet per the fragmentation cache timeout and the unique destination IP.
> I wish we had found out some way to enforce BCP38 before spoofing became a problem:(

Believe me, no one wishes that more than do I.  :-/

- ferg

Paul Ferguson
Vice President, Threat Intelligence
Internet Identity, Tacoma, Washington  USA
IID --> "Connect and Collaborate" --> www.internetidentity.com

More information about the dns-operations mailing list