Bugtraq mailing list archives

Re: The Art of Unspoofing

From: Darren Reed <avalon () coombs anu edu au>
Date: Thu, 19 Sep 2002 12:11:33 +1000 (Australia/ACT)

In some mail from eric.prince () cox net, sie said:
[...]

The Resolution Theory 
 
      The idea is simple. Usually, when a denial of service attack is 
initiated against a target host, it's something like: 
      
      # ./attack target.com

      In order to send the spoofed packets to target.com, the attackers 
nameserver has to resolve its domain name to an IP address, and only 
then can it inject the malicious packets. In theory, the nameservers 
for target.com will receive packets originating from the true source 
host of the attack or their nameserver.

[...]

An adjunct to this is that nearly all applications will only ever resolve
a hostname _once_.  So if ./attack will start an attack that lasts for
8 hours (say) but our DNS TTL is only 1 hour, we can change the IP# of
target.com and the attack can be deflected.  How low do you go with a
TTL in DNS so you can react in this manner without pushing too much work
back on to DNS ?  Don't know.  I'm sure this is well know, though ?

Darren

Current thread:

The Art of Unspoofing eric.prince (Sep 18)
- Re: The Art of Unspoofing Darren Reed (Sep 19)
- <Possible follow-ups>
- Re: The Art of Unspoofing Euan (Sep 19)
- Re: The Art of Unspoofing Sean Trifero (Sep 20)