Re: How to get rid of spoofed IP-Address responses

From: NetWatch (
Date: 05/24/02

Date: Fri, 24 May 2002 23:33:55 +0200
From: "NetWatch" <>
To: "Linux_Focus" <>

Thanks a lot for the really helpful information I received so far. The
interesting mail was from Thiago Conde Figueiro pointing me to GRC.COM
and the very impressive documents for DDOS but more interesting for me
the DRDOS attacks.
A lot of you have pointed me to the right track. *WE ARE THE REFLECTOR*
against the poor IP-Addresses I am seeing.
That means we have really no *SYN ACK* (thats what we also have from
time to time) but we only receive the SYN Flag. Because this means that
the attacker is sending a request to Port 80 with a source Port > 1024
we cannot filter them out because of valid WEB-Server traffic.
What we also have analyzed is that we get these packets against our
whole network (which is pretty small).
Meanwhile we created a "blackhole" server who is receiving these packets
and delays responses until it gets finally dropped.
So far we have found three IP-Addresses that are targeted: (which is the one on the CERF.NET who I blamed by
mistake) which is interesting from a reverse lookup point of view.
It shows " 3600 IN PTR" and the name is resolved from ""
and finally

In my opinion the problem is the flexible response option on the CISCO.
If we let the CISCO handle these sort of traffic, we might run into the
problem that this can be a potential target for another attack.
All we need to do (from what I learned today) is to drop the RST or
SYN/ACK inside our network. I am not a fan in simply dropping packets
from specific IP Addresses. This will increase the administrative work
heavily. I am more thinking about some application dealing with these
sort of packets and analyze them to understand what the effect of it is.

thanks a lot so far.
Jochen Grotepass

P.S.: Some German words looks nice in this forum.

Relevant Pages

  • RE: SYN Attacks - how i cant stop it
    ... # control how network packets are handled after IPFW or IPFILTER ... these MIB. ... # To defend against SYN attacks more commonly known as SYNFLOOD ...
  • Re: Determining if it is "safe" to send UDP packets
    ... for receiving Udp data. ... I'm receiving from a camera lines of data at 55 Hz. ... I had to build some test programs that sent & received packets. ...
  • Re: IPS/IDS behavior with ISIC/UDPSIC/TCPSIC/ICMPSIC traffic
    ... considered as an attack that need to be protected by IPS devices? ... ISIC generates many packets with different IP protocols. ... If you still see 100% CPU problem, you may like to check you log settings. ... with real-world attacks from CORE IMPACT. ...
  • Re: Voice encryption (Stream vs CBC mode)
    ... >> And I still don't know of any forgery attacks that are of importance in a ... > matters to your VoIP application, ... Suppose 64 packets per second, ... Compression takes c ms, encryption ...
  • Re: IDSIPS that can handle one Gig
    ... >> fragmented traffic, an attack can spread itself across multiple packets, ... >> to address such attacks causes a 3rd party loss. ... a bit of a bun fight when you place two vendors side by side ... >> CORE IMPACT. ...