Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp

看板FB_security作者時間11年前 (2014/05/03 13:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串17/21 (看更多)
On 5/2/2014 1:05 PM, Xin Li wrote: > Blocking inbound IP fragments is generally a good safety measure, but > keep in mind that doing so could break certain applications that do > require it (e.g. don't be surprised if some user behind several layers > of firewalls see blank pages from your website) and that needs to be > taken into consideration. They won't even get to the site in the first place. With EDNS, a very large DNS response over UDP is possible. On the wire, it's a single large UDP packet fragmented at the IP level. If you block fragments, you'll only get the first part of the UDP packet. Using a validating resolver pretty much guarantees you'll see such UDP packets regularly. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 list_freebs. 的文章
文章代碼(AID): #1JP7za_h (FB_security)
討論串 (同標題文章)
完整討論串 (本文為第 17 之 21 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共21篇)
更多 list_freebs. 的文章
文章代碼(AID): #1JP7za_h (FB_security)