In message <CADb+6TD6EMN7i9G99hPrhBh2ck-NwRqUuoQ1ubmnsHYN=ix...@mail.gmail.com>, Joel Maslak writes: > On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff <j...@cymru.com> wrote: > > > Some UDP applications will use zero as a source port when they do not > > expect a response, which is how many one-way UDP-based apps operate, > > though not all. This behavior is spelled out in the IETF RFC 768: > > That would only be applicable if the box was expecting to receive UDP > and not send a response. I'm not sure I can think of anything but > specialized, vertical applications that would have that behavior with > port zero (syslog and SNMP traps send without expecting a response, > but they don't use port zero in any implementation I've seen, and > neither is generally allowed to be received from the internet at > large). > > In addition to the fragments, these packets might also be non-TCP/UDP > (ICMP, GRE, 6to4 and other IP-IP, etc). If the host doesn't expect to > receive large UDP packets, you can block UDP fragments. Note that > recursive DNS servers would need UDP fragments (well, if you want to > do large DNS packets - if you set the right options, you can turn that > off). But if you aren't generally providing UDP services, blocking > UDP packets, especially to stop an attack, wouldn't hurt (you can also > block anything with the MF bit set). If you block these fragments at > your provider's router, and it is a DNS amplification attack, you're > problems are probably solved until the hacker figures it out. Just > make sure you think of things like recursive DNS and other > applications that may be using UDP fragments.
Actually *all* IPv6 node are supposed to support EDNS so *all* IPv6 hosts should be expecting to receive fragmented UDP for DNS. Add to that all hosts that do DNSSEC validation in the stub resolver / application. With DANE this will be any host with a web browser. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
