North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: large organization nameservers sending icmp packets to dns servers.
- From: Patrick W. Gilmore
- Date: Wed Aug 08 21:27:00 2007
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:in-reply-to:content-type:x-mailer:subject:mime-version:content-transfer-encoding:date:references:sender; b=Hy2oGprPzm6GkrgZZ1w1zQ6JUJ04fOisWVAc1eVP/QjgadirRhvndR9+QZXZ6VikxyVyaAROsT83SnsWRMbY0TVSojJsCGvEzaGW7OrWK++zFXG9Vi/NsmDQHvilw+WdSMZcvw1VTP6//B1eRC0Jh+taKZ6eO5PUMI2VuiyqrOg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:in-reply-to:content-type:x-mailer:subject:mime-version:content-transfer-encoding:date:references:sender; b=qBZ4tLvs/8Rgrgguv8NtM/0/cuFGmLaEdBUuqMq0Utv8vA+NkEudOQVa1cEazEM/uOlLIueGpEbzNUycXocllZwkkdEQEtsy8F/T5z9HEfPOrRKjc7I/9A1su6FkgiyzS3mHuu4Unvo1bPdO9Ntms5AVokDUawQSVv68Hr0llZs=
On Aug 8, 2007, at 6:20 PM, "william(at)elan.net" <[email protected]>
wrote:
On Tue, 7 Aug 2007, Donald Stahl wrote:
All things being equal (which they're usually not) you could use
the ACK
response time of the TCP handshake if they've got TCP DNS resolution
available. Though again most don't for security reasons...
Then most are incredibly stupid.
Several anti DoS utilities force unknown hosts to initiate a query
via TCP in order to be whitelisted. If the host can't perform a TCP
query then they get blacklisted.
How is that an "anti DoS" technique when you actually need to return
an
answer via UDP in order to force next request via TCP? Or is this
techinque
based on premise that an attacker will not spoof packets and thus
will send
flood of DNS requests to server from same IP (set of ips)? If so the
result
would be that attacker could in fact use TCP just as well as UDP.
The anti-ddos box sends back a UDP reply with the TCP bit sent and no
data. Which, I believe, violates the RFC. (But it is too hard to look
up on my iPhone. :)
If so, guess that makes those boxes 'stupid'.
--
TTFN,
patrick
|