Re: DDoS Attack

From: Justin Pryzby (
Date: 05/28/03

  • Next message: ktabic: "RE: A question for the list..."
    Date: Wed, 28 May 2003 13:16:55 -0400
    To: Andrew Simmons <>

    Oops, rereading one of my last posts, I said
    > > FWIW, IP's *may* be spoofed, even if you are seeing a tcp 3-way init.
    > > It depends on how your server machine generates the IP sequence numbers.
    > > `nmap -v` is a good gauge of how cryptographically strong it is.

    What I MEANT was TCP sequence numbers, not IP ID numbers. Sequence
    numbers are supposed to be highly random. The IP ID number is just a
    unique identifier of communication between two hosts over a given
    protocol. It exists so that (for example) a webserver can serve a
    client multiple pages concurrently. The IP ID number cannot be used to
    provide any kind of security. It seems different OSs even use widely
    differert schemes to decide when to increment it and when to use
    an entirely different number.

    As I understand, beginning an attack with an arbitrary IP ID number
    would work fine, as long as the TCP sequence numbers were right. The
    target host would just think that lots of packets had gotten lost ...

    Correct me if I'm wrong,
    Justin Pryzby


  • Next message: ktabic: "RE: A question for the list..."

    Relevant Pages