RE: The Art of Unspoofing

From: purdy@hushmail.com
Date: 09/18/02 

Date: Wed, 18 Sep 2002 12:43:58 -0700
To: eric.prince@cox.net
From: purdy@hushmail.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think this idea bears further investigation by the community. As a victim of a syn-flood just 3 weeks after PANIX was first struck years ago in New York, I would dearly love to get my hands on an attacker. I applaud this person's efforts and would like to begin the discussion by pointing out some problems.

> The Resolution Theory

In theory a neat concept, but can be easily overcome sending packets to ip address instead of fqdn.

> The Connectivity and Routing Request Theory

If the attacker is trying to hit her first machine (presumably all other attacks would occur from one or more hops away from home) she should be smart enough to give a little time between a single traceroute or ping and the attack itself, leaving no possible corelation unless the victim has little or no other traffic.

>Little Black Dots

Actually a good scenario for the current DoS programs, but as pointed out either a random or simply non-255 TTL in the program would negate this.

>A Quick Note on Unspoofing and Nameserver Caching
>limit it with the following options (Bind 9 only): max-cache-ttl (Bind >9.X) and max-cache-size (Bind 9.2 and up

Excellent idea. We will implement at our ISP.

Curt
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wloEARECABoFAj2I1zETHHB1cmR5QGh1c2htYWlsLmNvbQAKCRCaCAXiK6ZkH1jjAJ4s
TJFfOhu1nqr/h+ZFrkwOy3wovgCfaQpaeO/6ZYHiLa8Yu666Gvn3ANU=
=+Ps9
-----END PGP SIGNATURE-----

Get your free encrypted email at https://www.hushmail.com

Quantcast