Re: How to get rid of spoofed IP-Address responses

From: NetWatch (netwatch@sagadc.de)
Date: 05/24/02


Date: Fri, 24 May 2002 23:33:55 +0200
From: "NetWatch" <netwatch@sagadc.de>
To: "Linux_Focus" <focus-linux@securityfocus.com>

Thanks a lot for the really helpful information I received so far. The
interesting mail was from Thiago Conde Figueiro pointing me to GRC.COM
and the very impressive documents for DDOS but more interesting for me
the DRDOS attacks.
A lot of you have pointed me to the right track. *WE ARE THE REFLECTOR*
against the poor IP-Addresses I am seeing.
That means we have really no *SYN ACK* (thats what we also have from
time to time) but we only receive the SYN Flag. Because this means that
the attacker is sending a request to Port 80 with a source Port > 1024
we cannot filter them out because of valid WEB-Server traffic.
What we also have analyzed is that we get these packets against our
whole network (which is pretty small).
Meanwhile we created a "blackhole" server who is receiving these packets
and delays responses until it gets finally dropped.
So far we have found three IP-Addresses that are targeted:
63.240.202.140 (which is the one on the CERF.NET who I blamed by
mistake)
208.185.82.110 which is interesting from a reverse lookup point of view.
It shows "10.82.185.208.in-addr.arpa. 3600 IN PTR
tempted.by.the-devil.org." and the name is resolved from "lomag.net"
and finally
216.111.239.174

In my opinion the problem is the flexible response option on the CISCO.
If we let the CISCO handle these sort of traffic, we might run into the
problem that this can be a potential target for another attack.
All we need to do (from what I learned today) is to drop the RST or
SYN/ACK inside our network. I am not a fan in simply dropping packets
from specific IP Addresses. This will increase the administrative work
heavily. I am more thinking about some application dealing with these
sort of packets and analyze them to understand what the effect of it is.

Again,
thanks a lot so far.
Jochen Grotepass
SAGA D.C. GmbH

P.S.: Some German words looks nice in this forum.