On 2009/01/25 12:52, gwen hastings wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Stuart, > yes I noticed that in pf.c the overload table routines are > called from tcp only..
that is because UDP can easily be, and often is, forged. imagine an attacker sending packets with the source address of, say, a busy resolver at opendns or some large ISP. if you have some process that automatically blocks those packets, you have just DOS'd yourself. it's safer with TCP since blind spoofing is difficult, the attacker must be in the network path between you and the host they're imitating in order to gain access to sequence numbers. with UDP they just have to send crap with a bogus source address. > sigh the udp dos attacks are getting annoying. > will have to add something to tinydns to simply add the attacker to > the bruteforce table. what's that, req for . with spoofed source addresses of isprime's nameservers? (see nanog). if so I'd just ignore it, tinydns won't be sending a reply anyway so it's just noise in the logs...
