[60306] in North American Network Operators' Group
Re: WANTED: ISPs with DDoS defense solutions
daemon@ATHENA.MIT.EDU (Paul Vixie)
Wed Aug 6 02:13:01 2003
From: Paul Vixie <paul@vix.com>
To: nanog@merit.edu
In-Reply-To: Message from Barney Wolff <barney@databus.com>
of "Tue, 05 Aug 2003 21:31:46 -0400."
<20030806013146.GA58554@pit.databus.com>
Date: Wed, 06 Aug 2003 06:12:26 +0000
Errors-To: owner-nanog-outgoing@merit.edu
> How would the spoofing program, or its user, be able to tell if
> it was successful? Unless I'm very confused, the definition of
> spoofing is that the return packets aren't going to come back to you.
the whole thing would have to take place during a tcp control session
which used d-h to scramble itself, sort of the same way ssh does. the
random address/addresses would be chosen by the server. the only info
the initiator would gain is a count of how many spoofed packets made
it in; this could be left out if we feared that bad people would profit
from being able to use this tester. (we don't, though, since they have
their own ways of knowing whether spoofing is working from a given source,
and we don't think they'd want us to know what sources they were testing.)
> I can imagine a packet format where the real source address was in the
> data, but with no authentication this would itself be subject to abuse.
> ...
> Doing this from behind a NAT would be difficult.
one hopes that a nat box would also complicate the lives of spoofers.
