From owner-freebsd-security@FreeBSD.ORG Sat May 3 05:30:46 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CA1E49DD for ; Sat, 3 May 2014 05:30:46 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A89D715F5 for ; Sat, 3 May 2014 05:30:46 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:880:bd0:21c:c0ff:fe7f:96ee]) by luigi.brtsvcs.net (Postfix) with ESMTPSA id 6E62C2D4F9F; Fri, 2 May 2014 22:30:44 -0700 (PDT) Received: from [IPv6:2601:7:2280:38b:30b3:c5a8:9939:130a] (unknown [IPv6:2601:7:2280:38b:30b3:c5a8:9939:130a]) by chombo.houseloki.net (Postfix) with ESMTPSA id 738A0D2C; Fri, 2 May 2014 22:30:41 -0700 (PDT) Message-ID: <53647EE2.2010305@bluerosetech.com> Date: Fri, 02 May 2014 22:30:10 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: d@delphij.net, "Ronald F. Guilmette" , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp References: <3867.1399059743@server1.tristatelogic.com> <5363FA70.9040100@delphij.net> In-Reply-To: <5363FA70.9040100@delphij.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 May 2014 05:30:46 -0000 On 5/2/2014 1:05 PM, Xin Li wrote: > Blocking inbound IP fragments is generally a good safety measure, but > keep in mind that doing so could break certain applications that do > require it (e.g. don't be surprised if some user behind several layers > of firewalls see blank pages from your website) and that needs to be > taken into consideration. They won't even get to the site in the first place. With EDNS, a very large DNS response over UDP is possible. On the wire, it's a single large UDP packet fragmented at the IP level. If you block fragments, you'll only get the first part of the UDP packet. Using a validating resolver pretty much guarantees you'll see such UDP packets regularly.