large organization nameservers sending icmp packets to dns servers.

Patrick W. Gilmore patrick at
Thu Aug 9 01:17:53 UTC 2007

On Aug 8, 2007, at 6:20 PM, "william(at)" <william at>  

> On Tue, 7 Aug 2007, Donald Stahl wrote:
>>> All things being equal (which they're usually not) you could use  
>>> the ACK
>>> response time of the TCP handshake if they've got TCP DNS resolution
>>> available. Though again most don't for security reasons...
>> Then most are incredibly stupid.
>> Several anti DoS utilities force unknown hosts to initiate a query  
>> via TCP in order to be whitelisted. If the host can't perform a TCP  
>> query then they get blacklisted.
> How is that an "anti DoS" technique when you actually need to return  
> an
> answer via UDP in order to force next request via TCP? Or is this  
> techinque
> based on premise that an attacker will not spoof packets and thus  
> will send
> flood of DNS requests to server from same IP (set of ips)? If so the  
> result
> would be that attacker could in fact use TCP just as well as UDP.

The anti-ddos box sends back a UDP reply with the TCP bit sent and no  
data. Which, I believe, violates the RFC. (But it is too hard to look  
up on my iPhone. :)

If so, guess that makes those boxes 'stupid'.


More information about the NANOG mailing list