[dns-operations] DNS Attack over UDP fragmentation

Paul Ferguson fergie at people.ops-trust.net
Thu Sep 5 10:06:10 UTC 2013


On 9/4/2013 7:57 AM, Ondřej Surý wrote:

>
>> Check also ICMP "packet too big" coming in with ridiculous sizes, they
>> might be the sign that someone is trying the Shulman attack.
>
> JFTR It's one ICMP packet per the fragmentation cache timeout and the unique destination IP.
>
> I wish we had found out some way to enforce BCP38 before spoofing became a problem:(
>

Believe me, no one wishes that more than do I.  :-/

- ferg


-- 
Paul Ferguson
Vice President, Threat Intelligence
Internet Identity, Tacoma, Washington  USA
IID --> "Connect and Collaborate" --> www.internetidentity.com



More information about the dns-operations mailing list