|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Fri, 27 Sep 1996 14:18:58 -0700 From: Vadim Antonov <avg@quake.net> To: alexis@panix.com, paul@vix.com Cc: nanog@merit.edu Alexis Rosen <alexis@panix.com> wrote: > > Or better yet, the ICMP TRACEROUTE message, which would go > > hop by hop and on every hop generates a response message. > > Augmented with PROXY TRACEROUTE which will cause the destination > > box to send out the ICMP TRACEROUTE. >I'm very surprised that noone has mentioned what seems to me to be the >*really* serious drawback to this scheme. Remember how much grief you had >the last time someone did a news sendsys forged to your name? (If it's >never happened to you, be glad...) This sort of attack got so bad that >the default setup these days is to ignore sendsys. Yes, indeed a single traceroute packet with forged address can generate many responses. However, there is at least one technique to eliminate its usefulness as an attack weapon -- namely source address filtering (which is going to be implemented anyway, sooner or later; there are other types of attacks). Another way is to have ICMP TRACEROUTE to return one packet with all information _and_ the IP address of the next hop router (i.e. replace recursive behaviour with iterative) . It is still more useful than UDP kludge; and it will still work in case of load-sharing. Actually, the "multiplication" type of flooding attacks is nothing new, but they are more easily done on application level. For example, connecting to different SNMP speakers and causing them to send a long error reply to the target address. Or subscribing victim to many many mailing lists (including USENET gateways, urgh!). Or using MBONE feeds creatively. --vadim
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |