RE: Traces

[Fernando Gont <fernando () gont com ar>]

At 14:46 16/12/2003 -0800, Shawn Jackson wrote:

>         Sorry, I can't think of any off hand. But I'll try and give you
> a little information, if it helps at all. Depending on the type of
> attack, how you will trace varies. In example, if you're suffering from
> a DDoS attack, the chances that the originating IP address are that of
> the initiator of the attack are slim to none. Additionally if it's a
> no-response attack, (Syn Flood, teardrop) the return path address in the
> IP header is most likely forged seaming they don't require return
> traffic.

For Syn-Flood and Teardrop, you can probably have an idea of where how many 
hops away the attacker is, by guessing the initital TTL, and looking at the 
TTL of the incoming SYN.
Of course, this will be useless if the initial TTL was set to a random number.

For some types of DDoS, such as the "reflection" attacks, if the reflecting 
hosts cooperate, you could use the same technique to have an idea of where 
the attacker is.

In that case, you could do "triangulation" based on the TTL field of the 
packets that get to the reflectors, and thus find (or have an idea) of 
where the attacker is.

Of course, if the attacker sets the TTL field to some "unusual" value, this 
"technique" will be useless.


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
----------------------------------------------------------------------------