North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: WANTED: ISPs with DDoS defense solutions

  • From: Michael.Dillon
  • Date: Wed Aug 06 05:19:56 2003

>> How would the spoofing program, or its user, be able to tell if
>> it was successful?  Unless I'm very confused, the definition of
>> spoofing is that the return packets aren't going to come back to you.

>the whole thing would have to take place during a tcp control session
>which used d-h to scramble itself, sort of the same way ssh does. 

Diffie-Hellmann is a bit overkill.

It's simpler to have the client open a TCP connection to the server, 
retrieve a token which is just some reasonable number of random bits like 
64, then send the token back in a set of UDP packets using spoofed 
addresses, then pause for a second or two and ask the server (through the 
TCP connection) whether it saw the spoofed packets. Three UDP packets 
should be enough to eliminate most packet loss scenarios and the spoofed 
address could be chosen by munging the first octet to a number from 44 to 
54.

That's enough for the server to collect stats and to provide a status 
report to the client.

If the client is behind a NAT, and the spoofed source address doesn't get 
through, then that's OK because it means that no application in that same 
location behind the NAT can use spoofed addresses.

--Michael Dillon