large organization nameservers sending icmp packets to dns servers.

• Previous message (by thread): large organization nameservers sending icmp packets to dns servers.
• Next message (by thread): large organization nameservers sending icmp packets to dns servers.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Aug 8, 2007, at 6:20 PM, "william(at)elan.net" <william at elan.net>  
wrote:

>
>
> On Tue, 7 Aug 2007, Donald Stahl wrote:
>
>>> All things being equal (which they're usually not) you could use  
>>> the ACK
>>> response time of the TCP handshake if they've got TCP DNS resolution
>>> available. Though again most don't for security reasons...
>> Then most are incredibly stupid.
>>
>> Several anti DoS utilities force unknown hosts to initiate a query  
>> via TCP in order to be whitelisted. If the host can't perform a TCP  
>> query then they get blacklisted.
>
> How is that an "anti DoS" technique when you actually need to return  
> an
> answer via UDP in order to force next request via TCP? Or is this  
> techinque
> based on premise that an attacker will not spoof packets and thus  
> will send
> flood of DNS requests to server from same IP (set of ips)? If so the  
> result
> would be that attacker could in fact use TCP just as well as UDP.

The anti-ddos box sends back a UDP reply with the TCP bit sent and no  
data. Which, I believe, violates the RFC. (But it is too hard to look  
up on my iPhone. :)

If so, guess that makes those boxes 'stupid'.

-- 
TTFN,
patrick

• Previous message (by thread): large organization nameservers sending icmp packets to dns servers.
• Next message (by thread): large organization nameservers sending icmp packets to dns servers.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]