Penetration Testing mailing list archives
Re: DoS/DDoS Attack
From: Peter Van Epp <vanepp () sfu ca>
Date: Fri, 14 Jan 2005 08:40:09 -0800
On Fri, Jan 14, 2005 at 11:06:25AM +0500, Faisal Khan wrote:
Folks, Two quick questions. When IP (Source) addresses are spoofed, is there no way of determining (a) that the IP Source Addresses is spoofed and not the genuine one
Without more information than just the packet, no. If you are at the origin of the packet (which generally you won't be) then it would be possible to tell, but practically the answer is no (see the more complete explaination below)..
(b) to be able to determine the actual IP address that is sending DoS packets? Somehow I get the feeling I'm SOL when trying to find out the "genuine/actual" source IP address.
Again in practical terms yes. It is possible in theory (but having tried it in practice, I'll stand by my original answer :-)), but to track it back to the source you need to trace the MAC address back up the path from router to router until you come to the interface where the packets are originating. Then you can either identify the machine by its MAC address (assuming that isn't being spoofed too) or track the traffic to a physical port and from there to a machine (if by no other method than unplugging cables one at a time til the trafffic stops). This of course requires you to be able to convince your upstream provider(s) to track a MAC through their routers and in practice that usually isn't going to happen.
If this is the case, then pretty much we all are helpless with DoS/DDoS attacks - considering one can write a script/program to keep incrementing or randomly assigning spoofed source addresses in the DoS packets being sent out.
By and large yes. If the spoofing is only a single source address you may be able to get your upline provider to filter it (and you may not, because they then end up paying for the traffic that they can't bill you for because they didn't deliver it :-)), but stopping an attack from a wide network of zombied machines is pretty much impossible. All you could do would be to have enough capacity to be able to absorb the DDOS traffic and still survive (but that may well be too costly in bandwith charges). Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada
Faisal Faisal Khan, CEO Net Access Communication Systems (Private) Limited ________________________________ Network Security - Secure Web Hosting Managed Internet Services - Secure Email Dedicated Servers - Reseller Hosting Visit www.netxs.com.pk for more information.
Current thread:
- Re: DoS/DDoS Attack, (continued)
- Re: DoS/DDoS Attack Steve Friedl (Jan 15)
- Re: DoS/DDoS Attack Alexander Klimov (Jan 15)
- RE: DoS/DDoS Attack Alex R (Jan 15)
- RE: DoS/DDoS Attack Edward Sohn (Jan 14)
- Message not available
- RE: DoS/DDoS Attack Faisal Khan (Jan 15)
- Re: DoS/DDoS Attack Erik A. Onnen (Jan 17)
- Re: DoS/DDoS Attack Steven (Jan 17)
- Re: DoS/DDoS Attack Rogan Dawes (Jan 17)
- RE: DoS/DDoS Attack Jerry Shenk (Jan 20)
- Re: DoS/DDoS Attack Barrie Dempster (Jan 20)
- Re: DoS/DDoS Attack Peter Van Epp (Jan 14)
- Re: DoS/DDoS Attack Rainer Duffner (Jan 14)
- RE: Windows based DoS Tools? Jerry Shenk (Jan 11)
- RE: Windows based DoS Tools? mike (Jan 11)
- Re: Windows based DoS Tools? Matt Bellizzi (Jan 11)
- Re: Windows based DoS Tools? Thomas F. Parham Jr. (Jan 11)