[98453] in North American Network Operators' Group
RE: large organization nameservers sending icmp packets to dns
daemon@ATHENA.MIT.EDU (william(at)elan.net)
Wed Aug 8 18:43:23 2007
Date: Wed, 8 Aug 2007 15:20:56 -0700 (PDT)
From: "william(at)elan.net" <william@elan.net>
To: Donald Stahl <don@calis.blacksun.org>
cc: "Jason J. W. Williams" <williamsjj@digitar.com>, Valdis.Kletnieks@vt.edu,
John Levine <johnl@iecc.com>, nanog@nanog.org
In-Reply-To: <20070807141140.X95357@calis.blacksun.org>
Errors-To: owner-nanog@merit.edu
On Tue, 7 Aug 2007, Donald Stahl wrote:
>> All things being equal (which they're usually not) you could use the ACK
>> response time of the TCP handshake if they've got TCP DNS resolution
>> available. Though again most don't for security reasons...
> Then most are incredibly stupid.
>
> Several anti DoS utilities force unknown hosts to initiate a query via TCP in
> order to be whitelisted. If the host can't perform a TCP query then they get
> blacklisted.
How is that an "anti DoS" technique when you actually need to return an
answer via UDP in order to force next request via TCP? Or is this techinque
based on premise that an attacker will not spoof packets and thus will send
flood of DNS requests to server from same IP (set of ips)? If so the result
would be that attacker could in fact use TCP just as well as UDP.
--
William Leibzon
Elan Networks
william@elan.net
