Re: DoS/DDoS Attack

From: Demetrio Carrión (demetrio.carrion@gmail.com)
Date: Thu Feb 10 2005 - 08:37:57 EST


Hi folks,

> When IP (Source) addresses are spoofed, is there no way of determining (a)
> that the IP Source Addresses is spoofed and not the genuine one

Maybe one could inspect the spoofed packet and fingerprint the OS,
then fingerprint the machine that realy hosts the IP source address
received.

You could infer the IP was spoofed if the fingerprintings are
different. Drawbacks:
- DHCP hosts
- Attacking host OS = Real Host OS (IP Source Address)
- Is it usefull anyway? The point is: I presume it is not "completely"
impossible to discover that we are dealing with a spooffed address.

>If this is the case, then pretty much we all are helpless with DoS/DDoS
>attacks - considering one can write a script/program to keep incrementing
>or randomly assigning spoofed source addresses in the DoS packets being
>sent out.

There are some techinques like IP Traceback and Backscattering that
can prevent and traceback DoS/DDoS attacks, although they require
major changes in protocols.

Regards,

Demetrio Carrión



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:16 EDT