Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DoS/DDoS Attack

from [Peter Van Epp] Network Security [Permanent Link]
Subject: Re: DoS/DDoS Attack
Date: Fri, 14 Jan 2005 08:40:09 -0800 
On Fri, Jan 14, 2005 at 11:06:25AM +0500, Faisal Khan wrote:



Folks,

Two quick questions.

When IP (Source) addresses are spoofed, is there no way of determining (a) 
that the IP Source Addresses is spoofed and not the genuine one 


        Without more information than just the packet, no. If you are at the
origin of the packet (which generally you won't be) then it would be possible
to tell, but practically the answer is no (see the more complete explaination
below)..


                                                                (b) to be 
able to determine the actual IP address that is sending DoS packets?

Somehow I get the feeling I'm SOL when trying to find out the 
"genuine/actual" source IP address.


        Again in practical terms yes. It is possible in theory (but having 
tried it in practice, I'll stand by my original answer :-)), but to track it 
back to the source you need to trace the MAC address back up the path from 
router to router until you come to the interface where the packets are 
originating.  Then you can either identify the machine by its MAC address 
(assuming that isn't being spoofed too) or track the traffic to a physical 
port and from there to a machine (if by no other method than unplugging cables 
one at a time til the trafffic stops). This of course requires you to be able 
to convince your upstream provider(s) to track a MAC through their routers and 
in practice that usually isn't going to happen.



If this is the case, then pretty much we all are helpless with DoS/DDoS 
attacks - considering one can write a script/program to keep incrementing 
or randomly assigning spoofed source addresses in the DoS packets being 
sent out.


        By and large yes. If the spoofing is only a single source address
you may be able to get your upline provider to filter it (and you may not,
because they then end up paying for the traffic that they can't bill you for
because they didn't deliver it :-)), but stopping an attack from a wide 
network of zombied machines is pretty much impossible. All you could do would
be to have enough capacity to be able to absorb the DDOS traffic and still
survive (but that may well be too costly in bandwith charges).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



Faisal





Faisal Khan,  CEO
Net Access Communication
Systems (Private) Limited
________________________________

Network Security - Secure Web Hosting
Managed Internet Services - Secure Email
Dedicated Servers - Reseller Hosting

Visit www.netxs.com.pk for more information.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: DoS/DDoS Attack, Wallisch, Philip
Next by Date:  Re: DoS/DDoS Attack, Rainer Duffner
Previous by Thread:  Re: DoS/DDoS Attack, Barrie Dempster
Next by Thread:  Re: DoS/DDoS Attack, Rainer Duffner
Indexes:  [Date] [Thread] [Top] [All Lists]