Re: IP Spoofing questions

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 03/07/04


Date: 7 Mar 2004 18:37:24 GMT

In article <5f16df6b.0403070759.5565fc91@posting.google.com>,
David Schlecht <dschl@earthlink.net> wrote:
:Is IP Spoofing still a risk if our server has good TCP sequence number
:randomization?

Yes. It's easier to blow down a straw hut, but the brick hut still
has to worry about bulldozers.

:We get numerous CGI attacks that I'm interested in reporting but don't
:know how much I can rely on our server logs source IP field.

If these are automated attacks, then I'm sorry to say that your
reports are likely going to be more or less ignored by most sites.
There's just so *many* of such attacks -- it's like trying to to file
a police report every time anyone calls in saying "I saw a person in
a black shirt drop a candy wrapper!"

If these are for selective attacks where there was some intelligence
put into you as a target (e.g., you can show a progression of probes where
they learned more about your defences and tried more specific attacks) then
you might be able to get somewhere with authorities. But I should warn
you that unless you have very good evidence lined up, "forensic quality"
[i.e., will stand up in court], then *in practice* you are probably
around 400000'th in line unless you can demonstrate that more than $10,000
(better yet, $25,000) of real damage was done... damage that excludes the
cost of cleaning up your systems afterwards.

It is not a good state of affairs, to be sure.

-- 
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.