large organization nameservers sending icmp packets to dns servers.
Patrick W. Gilmore
patrick at ianai.net
Thu Aug 9 01:17:53 UTC 2007
On Aug 8, 2007, at 6:20 PM, "william(at)elan.net" <william at elan.net>
wrote:
>
>
> On Tue, 7 Aug 2007, Donald Stahl wrote:
>
>>> All things being equal (which they're usually not) you could use
>>> the ACK
>>> response time of the TCP handshake if they've got TCP DNS resolution
>>> available. Though again most don't for security reasons...
>> Then most are incredibly stupid.
>>
>> Several anti DoS utilities force unknown hosts to initiate a query
>> via TCP in order to be whitelisted. If the host can't perform a TCP
>> query then they get blacklisted.
>
> How is that an "anti DoS" technique when you actually need to return
> an
> answer via UDP in order to force next request via TCP? Or is this
> techinque
> based on premise that an attacker will not spoof packets and thus
> will send
> flood of DNS requests to server from same IP (set of ips)? If so the
> result
> would be that attacker could in fact use TCP just as well as UDP.
The anti-ddos box sends back a UDP reply with the TCP bit sent and no
data. Which, I believe, violates the RFC. (But it is too hard to look
up on my iPhone. :)
If so, guess that makes those boxes 'stupid'.
--
TTFN,
patrick
More information about the NANOG
mailing list