nanog mailing list archives

RE: large organization nameservers sending icmp packets to dns servers.

From: "william(at)elan.net" <william () elan net>
Date: Wed, 8 Aug 2007 15:20:56 -0700 (PDT)



On Tue, 7 Aug 2007, Donald Stahl wrote:

All things being equal (which they're usually not) you could use the ACK
response time of the TCP handshake if they've got TCP DNS resolution
available. Though again most don't for security reasons...
Then most are incredibly stupid.
Several anti DoS utilities force unknown hosts to initiate a query via TCP inorder to be whitelisted. If the host can't perform a TCP query then they getblacklisted.


How is that an "anti DoS" technique when you actually need to return an
answer via UDP in order to force next request via TCP? Or is this techinque
based on premise that an attacker will not spoof packets and thus will send
flood of DNS requests to server from same IP (set of ips)? If so the result
would be that attacker could in fact use TCP just as well as UDP.

--
William Leibzon
Elan Networks
william () elan net

Current thread:

RE: large organization nameservers sending icmp packets to dns servers., (continued)
- - - RE: large organization nameservers sending icmp packets to dns servers. Jamie Bowden (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Adrian Chadd (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. David Conrad (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Doug Barton (Aug 09)
    - Re: large organization nameservers sending icmp packets to dns servers. Matthew Black (Aug 10)
    - Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 07)
    - RE: large organization nameservers sending icmp packets to dns servers. David Schwartz (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Tony Finch (Aug 08)
    - RE: large organization nameservers sending icmp packets to dns servers. william(at)elan.net (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Stephane Bortzmeyer (Aug 09)
    - Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 10)
    - Re: large organization nameservers sending icmp packets to dns servers. Duane Wessels (Aug 06)
    - Re: large organization nameservers sending icmp packets to dns servers. Steve Atkins (Aug 06)
    - Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 06)
  - Re: large organization nameservers sending icmp packets to dns servers. Leigh Porter (Aug 06)
    - Re: large organization nameservers sending icmp packets to dns servers. Owen DeLong (Aug 06)
    - Message not available
    - Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 06)
    - Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 06)

(Thread continues...)