[27123] in bugtraq
Re: The Art of Unspoofing
daemon@ATHENA.MIT.EDU (Darren Reed)
Thu Sep 19 16:04:55 2002
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200209190211.MAA07281@caligula.anu.edu.au>
To: eric.prince@cox.net
Date: Thu, 19 Sep 2002 12:11:33 +1000 (Australia/ACT)
In-Reply-To: <20020918030804.SBMH1344.lakemtao08.cox.net@smtp.central.cox.net> from "eric.prince@cox.net" at Sep 17, 2002 11:08:02 PM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
In some mail from eric.prince@cox.net, sie said:
[...]
> The Resolution Theory
>
> The idea is simple. Usually, when a denial of service attack is
> initiated against a target host, it's something like:
>
> # ./attack target.com
>
> In order to send the spoofed packets to target.com, the attackers
> nameserver has to resolve its domain name to an IP address, and only
> then can it inject the malicious packets. In theory, the nameservers
> for target.com will receive packets originating from the true source
> host of the attack or their nameserver.
[...]
An adjunct to this is that nearly all applications will only ever resolve
a hostname _once_. So if ./attack will start an attack that lasts for
8 hours (say) but our DNS TTL is only 1 hour, we can change the IP# of
target.com and the attack can be deflected. How low do you go with a
TTL in DNS so you can react in this manner without pushing too much work
back on to DNS ? Don't know. I'm sure this is well know, though ?
Darren
