[dns-operations] DNS Attack over UDP fragmentation
Paul Ferguson
fergie at people.ops-trust.net
Thu Sep 5 10:06:10 UTC 2013
On 9/4/2013 7:57 AM, Ondřej Surý wrote:
>
>> Check also ICMP "packet too big" coming in with ridiculous sizes, they
>> might be the sign that someone is trying the Shulman attack.
>
> JFTR It's one ICMP packet per the fragmentation cache timeout and the unique destination IP.
>
> I wish we had found out some way to enforce BCP38 before spoofing became a problem:(
>
Believe me, no one wishes that more than do I. :-/
- ferg
--
Paul Ferguson
Vice President, Threat Intelligence
Internet Identity, Tacoma, Washington USA
IID --> "Connect and Collaborate" --> www.internetidentity.com
More information about the dns-operations
mailing list