This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-resolver-tf@ripe.net/
[dns-resolver-tf] DNS Resolver Recommendations
- Previous message (by thread): [dns-resolver-tf] DNS Resolver Recommendations
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hank Nussbacher
hank at interall.co.il
Wed May 1 15:27:20 CEST 2024
Hello. Under the section discussing Ingress Filtering you failed to discuss the issue of fragment filtering. A very common and powerful DDoS attack is UDP fragment attack: https://ddos-guard.net/en/terms/ddos-attack-types/udp-fragmentation-flood The common thing many ISPs as well as enterprises do to mitigate the attack is to block all fragments which on most servers has almost no effect. But on DNS and VPN servers, blocking fragments is fatal and therefore a warning needs to be put into the doc that UDP fragments should *never* be blocked to DNS servers - even when under fragment attack. See: https://puck.nether.net/pipermail/cisco-nsp/2023-December/108992.html for further details. Regards, Hank
- Previous message (by thread): [dns-resolver-tf] DNS Resolver Recommendations
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]