FreeBSD Security Advisory FreeBSD-SA-14:08.tcp

Sat May 3 05:30:46 UTC 2014

On 5/2/2014 1:05 PM, Xin Li wrote:
> Blocking inbound IP fragments is generally a good safety measure, but
> keep in mind that doing so could break certain applications that do
> require it (e.g. don't be surprised if some user behind several layers
> of firewalls see blank pages from your website) and that needs to be
> taken into consideration.

They won't even get to the site in the first place.  With EDNS, a very 
large DNS response over UDP is possible.  On the wire, it's a single 
large UDP packet fragmented at the IP level.  If you block fragments, 
you'll only get the first part of the UDP packet.  Using a validating 
resolver pretty much guarantees you'll see such UDP packets regularly.