[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
Roland Dobbins
rdobbins at arbor.net
Sat Sep 13 15:22:29 UTC 2014
On Sep 13, 2014, at 9:47 PM, Harald Koch <chk at pobox.com> wrote:
> In the 1990s fragmentation-based attacks against IP stacks were very real, it took a long time for vendors to fix their stacks completely, and longer to get fixes deployed; we didn't have the "patch everything monthly" culture firmly established yet.
I remember that time well. The issue wasn't fragmentation, but rather stack implementation. There were ways to ameliorate it, too.
Non-initial fragments are still used in DDoS attacks - either explicitly, or implicitly as part of reflection/amplification attack traffic. But fragmentation itself is not a security issue.
----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
More information about the dns-operations
mailing list