Date: Fri, 02 May 2014 22:30:10 -0700 From: Darren Pilgrim <list_freebsd@bluerosetech.com> To: d@delphij.net, "Ronald F. Guilmette" <rfg@tristatelogic.com>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp Message-ID: <53647EE2.2010305@bluerosetech.com> In-Reply-To: <5363FA70.9040100@delphij.net> References: <3867.1399059743@server1.tristatelogic.com> <5363FA70.9040100@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/2/2014 1:05 PM, Xin Li wrote: > Blocking inbound IP fragments is generally a good safety measure, but > keep in mind that doing so could break certain applications that do > require it (e.g. don't be surprised if some user behind several layers > of firewalls see blank pages from your website) and that needs to be > taken into consideration. They won't even get to the site in the first place. With EDNS, a very large DNS response over UDP is possible. On the wire, it's a single large UDP packet fragmented at the IP level. If you block fragments, you'll only get the first part of the UDP packet. Using a validating resolver pretty much guarantees you'll see such UDP packets regularly.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53647EE2.2010305>