RE: Attacks on GRC.com

From: Shwaine (shwaine@malevolence.com)
Date: 02/28/02 

To: incidents@securityfocus.org
From: Shwaine <shwaine@malevolence.com>
Date: Thu, 28 Feb 2002 13:23:36 -0800

In the grad class I took last spring on Internet protocols and security,
this kind of attack was called a "reflective distributed denial
of service attack". There is plenty of research into how to trace
forged packets back to their original source, called IP Traceback.
There is also a IETF working group on a type of IP Traceback called
ICMP Traceback, http://www.ietf.org/html.charters/itrace-charter.
html.

One issue with reflective DDoS attacks is that traditional IP Traceback
protocols usually only send the itrace messages either to the destination
IP or along with the packet, which means that the reflectors, not
the victim, get the itrace messages about the path(s) to the actual
attacker. The topic came up in that class I took about perhaps sending
the itrace messages to both the source and destination IPs, which
would send itrace messages to the victim in reflective DDoS (since
the spoofed source IP is the victim's along the path from the attacker
to the reflector), but could also lead to increased traffic depending
on implementation. I am not sure if this idea is being researched
at the moment.

Shwaine
--------------------------------------------------------------
http://www.malevolence.com http://www.shwaine.com
telnet://shwaine.dyn.greystoneapts.com:3000

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com