North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: large organization nameservers sending icmp packets to dns servers.
On Wed, Aug 08, 2007, Jamie Bowden wrote: > > Forgive my broken formatting, but LookOut, it's Microsoft! Is what we > use, period. > > I have a question related to what you posted below, and it's a pretty > simple one: > > How is answering a query on TCP/53 any MORE dangerous than answering it > on UDP/53? Really. I'd like to know how one of these security nitwits > justifies it. It's the SAME piece of software answering the query > either way. I'd hazard a guess and say something like "TCP state complexity > UDP state complexity" and that possibly leading to a potential DoS. But then, there's also stuff like stateful firewalls which can more aggressively timeout UDP flows (and not break DNS ones, since they're not exactly long-living!) but die under large TCP loads. And TCP takes CPU to setup/teardown, and requires client-side state. Adrian
|