On 5/2/2014 1:05 PM, Xin Li wrote:
Blocking inbound IP fragments is generally a good safety measure, but keep in mind that doing so could break certain applications that do require it (e.g. don't be surprised if some user behind several layers of firewalls see blank pages from your website) and that needs to be taken into consideration.
They won't even get to the site in the first place. With EDNS, a very large DNS response over UDP is possible. On the wire, it's a single large UDP packet fragmented at the IP level. If you block fragments, you'll only get the first part of the UDP packet. Using a validating resolver pretty much guarantees you'll see such UDP packets regularly.
_______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
