North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
Well, my understanding of your idea was that you proposed to detect SYN packets with unroutable src addresses before they hit the SYN_RCVD queue. The only way to deem them unroutable is to observe ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph just means that an SRC address might be a perfectly routable one without its being real - an unused address on an ethernet segment is enough for the attack. Or thousands of them for an untraceable attack. Dima Tim Bass writes: > > > > > It will, except that a slight modification of the attack (using IP > > addresses that _don't_ produce ICMP_UNREACH) will get us back to square > > one. > > > > Anyway, filtering packets with SRC addresses known to generate > > ICMP_UNREACH at the earliest possible stage might be a good idea. > > I understand paragraph two, but about paragraph 1.... > > When I ran the TCP SYN attack using routable source addresses, > before I patched my attack kernel to allow Spoofers, I > literally beat-to-death a server on the same subnet and > the attack has no effect. > > However, when I hacked the kernel to allow spoofed addresses, > the attack was severe and immediate. So, from my tests, > the attack is only sucessful when the bogus source address > is UNREACHABLE (which is a defense in the non-random > attack. > > For clarity, the attack only works when the IP source address > is UNREACHABLE, this has been my observation here in the lab using > an source address from my net (however I haven't confirmed this > with a good source address in another domain but I will...) > > > > Tim > > > > > > > Tim > > > > Dima > > > > - - - - - - - - - - - - - - - - -
|