Re: Stealthing

Walter Roberson wrote:

Have your "owned" systems spoof icmp echo packets, addressed to
security gateways that respond with ICMP Unreachables, with the source
address set to the system one wants to DDoS. The resulting Unreachable
will not go to the system that sent out the ICMP, but instead
to the system whose IP address appeared in the ICMP. The attack
then becomes practically untraceable, and if a large group of
such intermediate security gateways are used, the attack cannot
reasonably be filtered based upon IP.

This is true for almost any spoofed attack and doesn't require any
redirects. The real matter should only be about how big the
amplification in traffic is, and certainly ICMP should be your least worry.

Furthermore, it takes resources on the security gateway to
ARP for the destination, hold that status until a timeout, and then
create an ICMP UNREACHABLE packet. If the security gateway has a
heavy load -- normal traffic or just a lot of random probes or a DoS
or DDoS attack -- then responding can be an unaffordable drain on
resources.

That's why rate limits are good for!

And what does one do when the rate limit is hit?

Slowing down or stop responding.

If the gateway just drops the ICMP ECHO packet without reply, then the
security gateway has joined the ranks of the "only a few lousy big
ISPs" (or whatever the exact wording was), as not producing
-any- ICMP UNREACHABLE HOSTUNREACHABLE is merely the same thing
as rate limiting such respones to zero.

A constant flow of ICMP Echo Requests are not a part of normal
operation. With rate limits, such systems go back to normal mode.

my remark was merely that failing to produce
ICMP Unreachables was common at security gateways,

and routers. Better reread what you wrote.
.