[dns-operations] DNS Attack over UDP fragmentation

Ondřej Surý ondrej.sury at nic.cz
Thu Sep 5 15:03:39 UTC 2013


These are sizes (and counts) of first fragments that are smaller than 1280 bytes from data collected on .CZ nameservers on 20130901.

IPv4 size 001248: 0001
IPv4 size 001248: 0001
IPv4 size 001240: 0001
IPv4 size 001160: 0004
IPv4 size 001144: 0002
IPv4 size 001112: 0001
IPv4 size 001112: 0001
IPv4 size 001064: 0002
IPv4 size 001000: 0001
IPv4 size 000960: 0001
IPv4 size 000960: 0001
IPv4 size 000960: 0001
IPv4 size 000960: 0001
IPv4 size 000960: 0001
IPv4 size 000960: 0001
IPv4 size 000736: 0001
IPv4 size 000560: 0001
IPv4 size 000512: 0001
IPv4 size 000192: 0002
IPv4 size 000120: 0001

e.g 26 occurences.

I think it should be quite safe to cap the maximum EDNS0 to 1280 (the minimum IPv6 MTU) and set DF flag in all responses.  What do you think?

JFTR for the cap 1400 this would hit 359 queries.  (Still a very small number)

O.
--
 Ondřej Surý -- Chief Science Officer
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury at nic.cz    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130905/484c3287/attachment.sig>


More information about the dns-operations mailing list