Re: The Art of Unspoofing
This is just simplistic, ill conceived rubbish. There is absolutely no way to guarantee that you are tracking down the correct IP or the correct person. How can you possibly rely on the TTL to distinguish the address of the attacker among thousands of DNS requests? The TTL can be forged on spoofed packets - and they may come from a completely different source than the attacker itself... Is it safe to assume an attacker is going to use the generic public smurf.c tool etc, is it safe to assume the attacker is going to use traceroute or ping to test if the victim host is alive? Is it safe to assume the attacker wont use blind spoofed IP ID techniques or some other method to test if the victim host is alive? No. At the beginning of your post you mention the raw interface to the networking.. - yet you simply ignore or do not realise that the flexibility and multitude of ways to use and abuse tcp/ip makes this whole art of unspoofing nothing but presumptious rubbish that will waste peoples time and help them catch none but the most ignorant and useless of attackers. (People this stupid are unlikely to be a danger to your network in the first place). Whats to stop an attacker spoofing dns lookups and pings from another host in order to incriminate it? What it comes down to is - it is easy for a semi-intelligent attacker to cause a denial of service attack that is completely untraceable from the target side, grasping at straws like this wont do much good atall except waste a lot of your time. Euan [EMAIL PROTECTED] wrote: I found this on a site today, thought it might be of some intrest: The Art of Unspoofing
Re: The Art of Unspoofing
In some mail from [EMAIL PROTECTED], sie said: [...] The Resolution Theory The idea is simple. Usually, when a denial of service attack is initiated against a target host, it's something like: # ./attack target.com In order to send the spoofed packets to target.com, the attackers nameserver has to resolve its domain name to an IP address, and only then can it inject the malicious packets. In theory, the nameservers for target.com will receive packets originating from the true source host of the attack or their nameserver. [...] An adjunct to this is that nearly all applications will only ever resolve a hostname _once_. So if ./attack will start an attack that lasts for 8 hours (say) but our DNS TTL is only 1 hour, we can change the IP# of target.com and the attack can be deflected. How low do you go with a TTL in DNS so you can react in this manner without pushing too much work back on to DNS ? Don't know. I'm sure this is well know, though ? Darren
