Masaq-
commented
8 years ago The attacks continue. Google DNS periodically sends the command "naaajo" to my server. Presumably I set user 0 fragsize 151 in some previous session and something cached the command and is replaying it. Fortunately now my server has been patched and I have kept the same session running smoothly for days with user 0 fragsize 1258 locked in.
yarrick
Trying to determine why long-running sessions inexplicably become slow, I ran tcpdump and found unsolicited DNS queries beginning with the letter N were severely reducing the downstream fragment size.
When using carrier-grade DNS, the server is especially vulnerable to replay attacks that abuse the options commands (DNS queries beginning with N or O or S). I suggest refusing options commands after the negotiation of options has completed.