On 4. 9. 2013, at 16:33, Stephane Bortzmeyer <[email protected]> wrote:
> On Wed, Sep 04, 2013 at 04:04:13PM +0200, > Ondřej Surý <[email protected]> wrote > a message of 93 lines which said: > >>> Isn't is a good idea to limit the maximum size of the response, >>> like .com/.net (and may be other TLD: examples welcome) do? This >>> will make the attack more difficult. >> >> That could work, but what EDNS0 buffer size to pick? > > .com/.net does it apparently around 1400 bytes, which certainly covers > the vast majority of Internet paths. But they have 1400 with fragmentation allowed, right? That doesn't really answer the question, does it? >> And how to push this to end users? > > Why? They don't need it (otherwise, .com would not work and we would > have noticed :-) Err, I ment DNS server operators (I guess I was writing it with my DNS vendor hat on). >> We are currently looking at our DNS data for fragments (and their >> sizes), so it might give us some hints. > > Check also ICMP "packet too big" coming in with ridiculous sizes, they > might be the sign that someone is trying the Shulman attack. True, but again, that might work for us, but not for average DNS operator. O. -- Ondřej Surý -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
