----- Original Message -----
From: "Benjamin Scott" <[EMAIL PROTECTED]>
To: "Rich C" <[EMAIL PROTECTED]>
Sent: Sunday, July 08, 2001 3:37 AM
Subject: Re: grc.com Ddos analysis
> On Fri, 6 Jul 2001, Rich C wrote:
> > Which brings me back to my original question, why aren't patches to
enable
> > source IP spoofing included in with more trojans like sub7server and
other
> > bots? Their purpose is solely for DDOS attacks, so IP spoofing is
> > desireable. It can't be that trivial or it would be done more.
>
> The reason DDoS tools do not spoof the source address is that it would
make
> the attack less effective.
>
> A traditional packet-flood denial-of-service attack uses a single host
(or a
> small number of hosts) on a fast pipe to send requests to the target. The
> requests come fast enough, and/or consume enough resources, that the
target
> can no longer provide service. A spoofed address will help the attacker,
> because the victim cannot trace the packets by source IP address. They
have
> to follow the route back up the stream to the point where the packets
enter
> the network. This is very time consuming, and may take longer than the
attack
> lasts. However, with such attacks becoming a problem, more and more ISPs
are
> implementing ingress/egress filters which make sure packets entering or
> leaving their network are actually addressed to do so.
This is all true, and I have no argument with any of it.
>
> A distributed denial-of-service attack uses a large population of
> compromised machines (the "zombies") to attack a selected target. The
attack
> payload is crafted to look like a legitimate request, or at least, to not
be
> easily distinguished from a legitimate request.
Actually, the packets are crafted to be of MAXIMUM SIZE, so they get
fragmented and do even more damage. These packets ARE identifiable and
traceable (see http://grc.com/dos/attacklog.htm)
> It is the sheer number of
> zombies, and their distribution, which make the attack so effective.
> Spoofing the source address would only set off ingress/egress filters at
ISPs
> all along the way.
ONLY if the spoofed address were something wild, from outside the network
domain. If only the last one or two octets, for example, were randomly
changed for each packet or group of packets sent out, they would NOT trigger
the filters, because the spoofed address would still be a legitimate address
within the network. Further, the attack would appear to come from a much
larger population of computers within the ISP's network, most of which are
really not compromised. This would frustrate any investigation by leading to
countless dead-ends.
>
> >> IP spoofing is HARD. At least, it is if you want to get something
> >> BACK. It works great for DoS attacks,
> >
> > ...which is exactly what zombied machines are used for.
>
> No, zombies are used for DDoS attacks, a particular kind of DoS.
The only difference in the definition is the "distributed" part, which
simply eliminates the need for a high-bandwidth pipe for each attacking
machine.
>
> > You want your army of zombies to lie undetected, waiting for you to
> > command them to attack. And when they do, you DON'T want the users' ISP
> > to find them.
>
> And spoofing the address would make them stick out like a sore thumb.
If
> you are an ISP operating on network 64.128.55.0, and you suddenly start
seeing
> packets coming from *within* your network with a source address of
> 132.99.44.33, you know they are spoofed. If, on the other hand, they look
> like any of the other HTTP requests on your network, you just figure Yahoo
is
> getting a little more traffic today.
See above. The attacking machines DO stick out like sore thumbs, because of
the type of traffic they generate. Spoofing another address that is not way
outside the network domain will not only get by the ISP's egress filters,
but make the attacking machines much more difficult to locate.
>
> > That's comforting--knowing that the reason we are not targeted more than
> > we are is simply because there are bigger (stupider) fish out there.
>
> Bingo. This has been a fundamental of the auto security world for
years:
> Car alarms don't make your car impossible to steal. They just make it
easier
> to steal the car parked next to you.
>
So we need more tools for the internet like Lo-Jack, to find these malicious
hackers script kiddies and take them off the 'net for good.
Rich Cloutier
SYSTEM SUPPORT SERVICES
www.sysupport.com
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
