On Wed, Sep 04, 2013 at 04:04:13PM +0200, Ondřej Surý <[email protected]> wrote a message of 93 lines which said:
> > Isn't is a good idea to limit the maximum size of the response, > > like .com/.net (and may be other TLD: examples welcome) do? This > > will make the attack more difficult. > > That could work, but what EDNS0 buffer size to pick? .com/.net does it apparently around 1400 bytes, which certainly covers the vast majority of Internet paths. > And how to push this to end users? Why? They don't need it (otherwise, .com would not work and we would have noticed :-) > We are currently looking at our DNS data for fragments (and their > sizes), so it might give us some hints. Check also ICMP "packet too big" coming in with ridiculous sizes, they might be the sign that someone is trying the Shulman attack. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
