[98460] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Wed Aug 8 21:27:26 2007
From: "Patrick W. Gilmore" <patrick@ianai.net>
To: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.62.0708081516490.25471@sokol.elan.net>
Date: Wed, 8 Aug 2007 21:17:53 -0400
Errors-To: owner-nanog@merit.edu
On Aug 8, 2007, at 6:20 PM, "william(at)elan.net" <william@elan.net>
wrote:
>
>
> On Tue, 7 Aug 2007, Donald Stahl wrote:
>
>>> All things being equal (which they're usually not) you could use
>>> the ACK
>>> response time of the TCP handshake if they've got TCP DNS resolution
>>> available. Though again most don't for security reasons...
>> Then most are incredibly stupid.
>>
>> Several anti DoS utilities force unknown hosts to initiate a query
>> via TCP in order to be whitelisted. If the host can't perform a TCP
>> query then they get blacklisted.
>
> How is that an "anti DoS" technique when you actually need to return
> an
> answer via UDP in order to force next request via TCP? Or is this
> techinque
> based on premise that an attacker will not spoof packets and thus
> will send
> flood of DNS requests to server from same IP (set of ips)? If so the
> result
> would be that attacker could in fact use TCP just as well as UDP.
The anti-ddos box sends back a UDP reply with the TCP bit sent and no
data. Which, I believe, violates the RFC. (But it is too hard to look
up on my iPhone. :)
If so, guess that makes those boxes 'stupid'.
--
TTFN,
patrick
