On 2023-07-19, mabi <m...@protonmail.ch> wrote:
> ------- Original Message -------
> On Tuesday, July 18th, 2023 at 10:59 PM, Stuart Henderson 
> <stu.li...@spacehopper.org> wrote:
>
>
>> PF's state-tracking options are only for TCP. (Blocking an IP
>> based on number of connections from easily spoofed UDP is a good
>> way to let third parties prevent your machine from communicating
>> with IPs that may well get in the way i.e. trigger a "self DoS").
>
> What a pitty, these kind of rate limiting options for UDP would have  been 
> quite useful.

I don't think you understood what I wrote then - they are the
opposite of helpful here.

Say you are running a DNS recursive resolver with such protection;
if someone were to send you spoofed high rate packets from the IPs
of the root servers, some big gTLD/ccTLD servers, or big DNS hosters
(cloudflare or someone), your lookups will be quite broken.

Likewise for an authoritative server: send packets with source IPs
of some large DNS recursive resolvers and you then won't be sending
replies to legitimate requests from those resolvers.

The difference with TCP is that someone sending packets needs to
be able to see the response to those packets in order to carry out
the handshake. That's not needed for UDP where a single packet in
one direction is all that's needed.


Reply via email to