large organization nameservers sending icmp packets to dns servers.

• Previous message (by thread): large organization nameservers sending icmp packets to dns servers.
• Next message (by thread): large organization nameservers sending icmp packets to dns servers.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 08, 2007, Jamie Bowden wrote:
> 
> Forgive my broken formatting, but LookOut, it's Microsoft! Is what we
> use, period.
> 
> I have a question related to what you posted below, and it's a pretty
> simple one:
> 
> How is answering a query on TCP/53 any MORE dangerous than answering it
> on UDP/53?  Really.  I'd like to know how one of these security nitwits
> justifies it.  It's the SAME piece of software answering the query
> either way.

I'd hazard a guess and say something like "TCP state complexity > UDP state
complexity" and that possibly leading to a potential DoS.

But then, there's also stuff like stateful firewalls which can more
aggressively timeout UDP flows (and not break DNS ones, since they're
not exactly long-living!) but die under large TCP loads. And TCP
takes CPU to setup/teardown, and requires client-side state.




Adrian

• Previous message (by thread): large organization nameservers sending icmp packets to dns servers.
• Next message (by thread): large organization nameservers sending icmp packets to dns servers.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]