[dns-operations] All Too Quiet?

[Danny McPherson]

On Jul 30, 2008, at 11:53 AM, David Dagon wrote:
>
>  -- The researcher will, after an appropriate learning time,
>     respect your ICMP 'host not reachable' (3,3) messages, and
>     no longer send you probes.  An attacker might well respect
>     these quicker, and move on to victims that will receive
>     such traffic.   (This is an artifact of how the researcher
>     and attacker pick dst IPs.  The researcher has an (aging)
>     list of DNS talkers, and covers much of the Internet;
>     the attack has selected a single IP in most cases).

The ICMP 3/3 probes will only be generated by patched
servers though, no?

-danny