Spoofing is a component of many DoS attacks but, not a necessary one. There
are numerous methods to deny service. You can, as you say, spoof the
originating address to take advantage of a flaw in a server's network stack.
You can also send partial packets or packets containing other incorrect
data, such as sending 31 bytes but have the header say there are 32, etc. As
was shown by the most recent rash of DoS attacks though, you can simply
overwhelm the server with massive amounts of data. If you have enough
computers you can overwhelm any pipe. Remember, DoS does not have to occur
at the server. It can work against anything that effects the ability for a
request for service to be completed; routers, firewalls, etc. Even if the
server doesn't crash it still can't or doesn't respond to all the requests,
some of which you hope are legitimate otherwise why run the equipment. Your
example of PKI could fall into the category of QoS tools that I mentioned
earlier as it would attempt to ensure that all requests were from legitimate
initiators thereby blocking the illegitimate and improving QoS. One problem
with tools that use strong encryption is that each component in the system
must decrypt and inspect it. HTTP server performance can be reduced by a
factor of 10 or more simply by implementing SSL. This occurs due to the
heavy mathematical operations necessary as well as the substantially
increased # of packets generated, due to the increased size of the
originating data after it is encrypted. The math aspect can be partially
mitigated by using dedicated encryption/decryption hardware but, this
increases the cost and complexity of systems.
I'll stop here 'cause this could go on much longer :) I love this sort of
discussion.
Regards,
Steve
-----Original Message-----
From: Tim Lieberman [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 05, 2000 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: Security holes revisited
It could be possible. Consider a protocol that utilized public-key
encryption. Every packet would have to be signed with the sender's private
key. Of course, anonymity goes completely out the window, but faking
return-addresses would be impossible. Faking return addresses seems to be
fairly essential to TCP/IP flavored DOS attacks.
-Tim
At 08:50 PM 00/04/05 -0400, you wrote:
>I'm not sure I follow. I know a decent amount about protocols and
networking
>and, to my knowledge, there is no way, at the protocol level, to stop a DoS
>attack. I don't care how efficient the protocol is, if the server gets
>overloaded with requests, it can't provide service to every request,
>therefore service is denied (DoS). You can implement some QoS tools which
>will allow you to selectively service certain requests or protocols and/or
>use your router or firewall effectively but, again, these tools also have
>limits which, when reached, prevent the servicing of further requests
(DoS).
>
>As a more digestible example, if you and all your co-workers try to
retrieve
>your email at the same time then some of the requests will take longer
than
>others. You frequently hear people say things like, "the mail server is
slow
>today." What is happening is an unintentional denial or reduction of
>service. Hmmm, using that example, what's it called if everyone in your
>building flushes the toilet at the same time :)
>
>Steve
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
