Re: DoS/DDoS Attack

From: Nazareno Vicente Feito (nvfeito_at_advancedsl.com.ar)
Date: 01/14/05

  • Next message: H Carvey: "Re: Creating a Custom Trojan after Social Engineering"
    Date: Fri, 14 Jan 2005 14:09:40 +0000
    To: pen-test@securityfocus.com
    
    

    On Friday 14 January 2005 06:06 am, Faisal Khan wrote:
    > Folks,
    >
    > Two quick questions.
    >
    > When IP (Source) addresses are spoofed, is there no way of determining (a)
    > that the IP Source Addresses is spoofed and not the genuine one (b) to be
    > able to determine the actual IP address that is sending DoS packets?
    >
    > Somehow I get the feeling I'm SOL when trying to find out the
    > "genuine/actual" source IP address.
    >
    > If this is the case, then pretty much we all are helpless with DoS/DDoS
    > attacks - considering one can write a script/program to keep incrementing
    > or randomly assigning spoofed source addresses in the DoS packets being
    > sent out.
    >
    > Faisal

    I can't think of a way of reversing the process, the experiments I've done
    with spoofed ip's have been done in C using raw sockets, some folks tried
    with python, the language is indiferent, but what you do is alter the header
    of the packet, and tell the kernel of the OS that there's no need to add a
    header to the packet you're sending, then the kernel just place the packet on
    the net with the data you filled in.
    The main thing of a spoofed ip packet it's that you can fill the fields with
    any info you want (of course it's important the checksum matches, this is one
    way you could know if the packet is spoofed, and if it's not and the checksum
    does not match, there's an error, so one way or another you should get rid of
    the packet), check this with ethereal or another protocol analyzer.
    In theory it should be no way of knowing what's the real source address (It's
    not like an smtp 'spoof' that you play with some rcpt to/mail from commands
    and you have the email headers added by the MTA), if you think about it a
    little bit, we're indeed helpless with DoS/DDoS attacks, if by that you mean
    syn floods and that kind of stuff, and if you dig deeper, you'll find out
    that if the operating system is in charge of stamping the ip address to a
    packet and the OS itself it's sufficiently flexible to let you do that from
    userspace, this is not considered a flaw, but a gift, the main problem is
    that not all people is this gift the way they should.
     

    -- 
    Saludos.
    Nazareno Vicente Feito
    

  • Next message: H Carvey: "Re: Creating a Custom Trojan after Social Engineering"

    Relevant Pages

    • Re: Blocking/responding to port scans
      ... I've had *one* repeat offender ... who tried a packet every ~16s for 2 days, in the past 2.bit years, myself. ... It's really not worthwhile wasting rules in your firewall to handle folks ... who accidentally stumble across an open service - what are you providing ...
      (comp.os.linux.security)
    • RE: Transfer a sending packet to upper TCP/IP protocol layer in IM
      ... If the IPv6 address can be resolved, ... IPv4 header will be larger than the MTU. ... After prepending IPv4 header and UDP header to the original IPv6 packet, ...
      (microsoft.public.development.device.drivers)
    • Re: sendfile(2) SF_NOPUSH flag proposal
      ... limiting factor to be PCI bus bandwidth first, memory second, ... > in separate packet nevertheless the size of header and of the file. ... So when a retransmit, if any, is necessary, the packet stream ...
      (freebsd-arch)
    • RE: Transfer a sending packet to upper TCP/IP protocol layer in IM
      ... The original MAC header is INVALID because my IM driver will assign a new ... After prepending IPv4 header and UDP header to the original IPv6 packet, ...
      (microsoft.public.development.device.drivers)
    • [EXPL] autoRST - Automated TCP RST Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... sniff for TCP packets on a network and then sends out a forged RST packet ... * winpcap header files downloaded and paths setup. ... typedef struct mac_address { ...
      (Securiteam)