[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Roland Dobbins rdobbins at arbor.net
Sat Sep 13 15:22:29 UTC 2014

On Sep 13, 2014, at 9:47 PM, Harald Koch <chk at pobox.com> wrote:

> In the 1990s fragmentation-based attacks against IP stacks were very real, it took a long time for vendors to fix their stacks completely, and longer to get fixes deployed; we didn't have the "patch everything monthly" culture firmly established yet.

I remember that time well.  The issue wasn't fragmentation, but rather stack implementation.  There were ways to ameliorate it, too.

Non-initial fragments are still used in DDoS attacks - either explicitly, or implicitly as part of reflection/amplification attack traffic.  But fragmentation itself is not a security issue.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön

More information about the dns-operations mailing list