[98533] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Chris L. Morrow)
Fri Aug 10 21:45:28 2007
Date: Sat, 11 Aug 2007 01:32:48 +0000 (GMT)
From: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>
In-reply-to: <20070809075532.GB19712@nic.fr>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: "william(at)elan.net" <william@elan.net>, nanog@nanog.org
Errors-To: owner-nanog@merit.edu
On Thu, 9 Aug 2007, Stephane Bortzmeyer wrote:
>
> On Wed, Aug 08, 2007 at 03:20:56PM -0700,
> william(at)elan.net <william@elan.net> wrote
> a message of 23 lines which said:
>
> > How is that an "anti DoS" technique when you actually need to return
> > an answer via UDP in order to force next request via TCP?
>
> Because there is no amplification: the UDP response packet can be very
> small.
actually because it forces authentication of the source (authentication
being that the source is a real-live host asking for dns services). Beyond
that trick, the deviecs I've seen/used also catalog the rates of queries
from individual hosts and force a cached answer to be generated locally if
the loads get too high (per source).. Sorry this is a bit late to the
punch :)
