[4932] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Tim Bass)
Wed Oct 2 17:52:27 1996
From: Tim Bass <bass@cactus.silkroad.com>
To: dvv@sprint.net (Dima Volodin)
Date: Wed, 2 Oct 1996 17:41:29 -0400 (EDT)
Cc: kwe@6SigmaNets.com, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <199610022132.RAA29908@mercury.int.sprintlink.net> from "Dima Volodin" at Oct 2, 96 05:32:52 pm
>
> It will, except that a slight modification of the attack (using IP
> addresses that _don't_ produce ICMP_UNREACH) will get us back to square
> one.
>
> Anyway, filtering packets with SRC addresses known to generate
> ICMP_UNREACH at the earliest possible stage might be a good idea.
I understand paragraph two, but about paragraph 1....
When I ran the TCP SYN attack using routable source addresses,
before I patched my attack kernel to allow Spoofers, I
literally beat-to-death a server on the same subnet and
the attack has no effect.
However, when I hacked the kernel to allow spoofed addresses,
the attack was severe and immediate. So, from my tests,
the attack is only sucessful when the bogus source address
is UNREACHABLE (which is a defense in the non-random
attack.
For clarity, the attack only works when the IP source address
is UNREACHABLE, this has been my observation here in the lab using
an source address from my net (however I haven't confirmed this
with a good source address in another domain but I will...)
Tim
>
> > Tim
>
> Dima
>
