Re: large organization nameservers sending icmp packets to dns servers.

["Patrick W. Gilmore" <patrick () ianai net>]

On Aug 8, 2007, at 6:20 PM, "william(at)elan.net" <william () elan net>  
wrote:

> On Tue, 7 Aug 2007, Donald Stahl wrote:
>
> > > All things being equal (which they're usually not) you could use  
> > > the ACK
> > > response time of the TCP handshake if they've got TCP DNS resolution
> > > available. Though again most don't for security reasons...
> > Then most are incredibly stupid.
> >
> > Several anti DoS utilities force unknown hosts to initiate a query  
> > via TCP in order to be whitelisted. If the host can't perform a TCP  
> > query then they get blacklisted.
>
> How is that an "anti DoS" technique when you actually need to return  
> an
> answer via UDP in order to force next request via TCP? Or is this  
> techinque
> based on premise that an attacker will not spoof packets and thus  
> will send
> flood of DNS requests to server from same IP (set of ips)? If so the  
> result
> would be that attacker could in fact use TCP just as well as UDP.

The anti-ddos box sends back a UDP reply with the TCP bit sent and no  
data. Which, I believe, violates the RFC. (But it is too hard to look  
up on my iPhone. :)

If so, guess that makes those boxes 'stupid'.

--
TTFN,
patrick