[98422] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Wed Aug 8 12:24:13 2007
Date: Thu, 9 Aug 2007 00:10:23 +0800
From: Adrian Chadd <adrian@creative.net.au>
To: Jamie Bowden <jamie@photon.com>
Cc: Steve Gibbard <scg@gibbard.org>, Nanog <nanog@nanog.org>
In-Reply-To: <70EC72941042AA48ABE651C40408D9C985DE@hal.photon.com>
Errors-To: owner-nanog@merit.edu
On Wed, Aug 08, 2007, Jamie Bowden wrote:
>
> Forgive my broken formatting, but LookOut, it's Microsoft! Is what we
> use, period.
>
> I have a question related to what you posted below, and it's a pretty
> simple one:
>
> How is answering a query on TCP/53 any MORE dangerous than answering it
> on UDP/53? Really. I'd like to know how one of these security nitwits
> justifies it. It's the SAME piece of software answering the query
> either way.
I'd hazard a guess and say something like "TCP state complexity > UDP state
complexity" and that possibly leading to a potential DoS.
But then, there's also stuff like stateful firewalls which can more
aggressively timeout UDP flows (and not break DNS ones, since they're
not exactly long-living!) but die under large TCP loads. And TCP
takes CPU to setup/teardown, and requires client-side state.
Adrian
