On Sun, Jul 08, 2001 at 01:54:52PM -0000, Rich Cloutier wrote:
>> It is the sheer number of zombies, and their distribution, which
>> make the attack so effective. Spoofing the source address would
>> only set off ingress/egress filters at ISPs all along the way.
>
> ONLY if the spoofed address were something wild, from outside the
> network domain. If only the last one or two octets, for example,
> were randomly changed for each packet or group of packets sent out,
> they would NOT trigger the filters, because the spoofed address
> would still be a legitimate address within the network.
Not necessarily. In fact, if the particular IP chosen were not in use
at the compromised host's site, then THEIR OWN FIREWALL might filter
the packets. I have to agree with Ben here... if you want to ensure
success, you don't want to spoof your addresses.
> Further, the attack would appear to come from a much larger
> population of computers within the ISP's network, most of which are
> really not compromised. This would frustrate any investigation by
> leading to countless dead-ends.
Again, not necessarily. If they're doing sufficient logging on their
network devices, they might be able to trace the MAC address.
> > > That's comforting--knowing that the reason we are not targeted more than
> > > we are is simply because there are bigger (stupider) fish out there.
> >
> > Bingo. This has been a fundamental of the auto security world for
> years:
> > Car alarms don't make your car impossible to steal. They just make it
> easier
> > to steal the car parked next to you.
> >
>
> So we need more tools for the internet like Lo-Jack, to find these malicious
> hackers script kiddies and take them off the 'net for good.
Again, assuming they're in your jurisdiction. I'd venture a guess
that the majority of them aren't. So good luck. This is precisely
what makes these attacks so problematical. The victim really has NO
recourse. And unless your attacker has done a large amount of
quantifiable damage, there's very little penalty, even if you do catch
them. Much as if they'd thrown a rock through your window. Because
in effect, in most cases, that's about what they've done.
--
---------------------------------------------------
Derek Martin | Unix/Linux geek
[EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
