[47369] in North American Network Operators' Group
Re: DDOS attacks and Large ISPs doing NAT?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu May 2 14:45:40 2002
Message-Id: <200205021842.g42IgVQn015863@foo-bar-baz.cc.vt.edu>
To: "Mansey, Jon" <Jon_Mansey@verestar.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Thu, 02 May 2002 11:32:48 PDT."
<43CAA8BAF8A21049B3ABF1A70AED597532EE90@laxexg01.la.interpacket.net>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-378038083P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Thu, 02 May 2002 14:42:31 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-378038083P
Content-Type: text/plain; charset=us-ascii
On Thu, 02 May 2002 11:32:48 PDT, "Mansey, Jon" said:
> As I said, in a NAT'd scenario the IP stack will never see an unsolicited
> request and hence not respond to it.
>
> The phone side of course will ring when called. Duh.
That's the *point*.
You hand the phone a trojan/virus/whatever when it's making an OUTBOUND
connection on the NAT side (for instance, if the PDA side is checking
mail, feed it a trojaned piece of mail). You then have the trojan drop
you a note "Oh, and my phone number is XXX-YYYY".
Then, when it's time to attack somebody, you send the phone a page that
tells the trojan "Hey XXX-YYYY, wake up and pound on victim address <whatever>".
With proper encoding of the page, the phone's owner may even just say
"Damn, more <bleeping> Korean spam in characters I can't read", and not notice
that 45 seconds later, the phone starts chirping away by itself....
The point is that you can contact the phone via *non-NAT* means and have it
launch an attack - the fact you can't wake it up via NAT can be worked around.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_-378038083P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE80YiXcC3lWbTT17ARAhzXAKCN1fjE+82aQ0cnYwxOQRWo6gNNhQCgpBWf
kte6tGEJIxjZ2AEv+yZyAW4=
=somm
-----END PGP SIGNATURE-----
--==_Exmh_-378038083P--
