On Sun, 26 Feb 2006, Joe Abley wrote:
As a temporary mitigation tool today, when the volume of legitimate, large-packet EDNS0 traffic is near-zero, blocking big 53/udp packets might *sound* reasonable. However, we all know how permanent
how are you certain that the udp/53 1500 byte packet is 'dns'? and not kazaa/gnutella/bittorrent/vpn-in-udp-53 ? It seems that filtering the TRAFFIC is short sighted on several fronts :( deciding if you will/won't be part of the global-recursive-dns-server 'problem' is entirely different though.
temporary filters can be. Crippling EDNS0 transport in the future seems like a very high price to pay for what might be a very temporary, short-term reduction in attack traffic.
seems like global tcp/139|tcp/445 filters, or bogon filters... bits put into configs 'now' and completely forgotten about 'tomorrow' :(