Hello, I believe that it is another serious attack against DNS protocol, or it may be against UDP/IP (especially IPv4).
So, we might set max-udp-size to 1220 for preventing UDP fragmentation. And I know anouther "IPv6 Fragment Header Deprecated" I-D at IETF 6man WG. BTW, sometimes I unofficially call the method as "DNS Aikora Kougeki" in Japanese. "Kougeki" means attacks and "Aikora" is Japanese slang, and it's described here. <http://japanslangdictionary.appspot.com/cont?key=ikora> Regards, -- Orange From: Ondřej Surý <[email protected]> Date: Wed, 4 Sep 2013 15:08:55 +0200 > Hi all, > > for all those who haven't been on saag WG at IETF 88... > > Amir Herzbert and Haya Shulman has presented a quite interesting attack on > UDP fragmentation that allows Kaminsky-style attacks to be real again. > > The saag presentation is here: > http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf > > The paper describing the attack is here: > http://arxiv.org/pdf/1205.4011v1.pdf > > More Haya Shulman's publications can be found here: > https://sites.google.com/site/hayashulman/publications > > And some papers are also available from Google Scholar: > http://scholar.google.com/scholar?hl=en&q=Amir+Herzberg%2C+Haya+Shulman+++dnssec&btnG=&as_sdt=1%2C5&as_sdtp= > > We gave it some thoughts here at CZ.NIC Labs and we think that the threat is > real and we are now trying to write a PoC code to prove the theoretical > concept. > > So what are the views of other people on this list? > > Ondrej > -- > Ondřej Surý -- Chief Science Officer > ------------------------------------------- > CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC > Americka 23, 120 00 Praha 2, Czech Republic > mailto:[email protected] http://nic.cz/ > tel:+420.222745110 fax:+420.222745112 > ------------------------------------------- > _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
