In dealing with D/Dos attacks, being able to survive is one goal, the
other goal is to back trace and uproot the master sever who issued the
command.
Sometime last year, we were working with CyberShield Networks
(www.cybershieldnetworks.com) on bidding a BAA for back tracing zombie
master. They were developing a very interesting product called
"ZombieShield", which gets deployed in the wild and proactively
participates into the underground community to learn, analyze and
forecast any possible planning for a zombie based attacks. If
detected, it had the ability to identify the zombie master and notify
the authority before such attack takes place. It also has the
potential to report any compromised computer boxes before they are
used as attacking tools.
Just thought you might share my interest level on this technology
against D/DoS attacks.
Josh
I would agree with most of what's been said so far. However, "helpless" is
such a strong word. I don't know exactly what you're referring to, but you
are definitely not "helpless" from a security standpoint. There are a host
of great DDoS/IPS appliances out there. I had a customer under a syn flood
attack a while back, and they plopped down six figures on the spot to buy
mitigation equipment. Since then, they have not experienced another attack,
though we can see the device blocking several such occurences (albeit
smaller ones).
FYI, my favorite rate-based IPS box is Top Layer. It works great, and can
block gig speeds of bandwidth attacks. I've tested both the newest Top
Layer and Tipping Point boxes and I have to say Top Layer takes the cake.
The industry is constantly changing in this market, so you're bound to see
new leaders all the time.
My $.02,
Ed
-----Original Message-----
From: nvfeito@advancedsl.com.ar [mailto:nvfeito@advancedsl.com.ar]
Sent: Friday, January 14, 2005 6:10 AM
To: pen-test@securityfocus.com
Subject: Re: DoS/DDoS Attack
On Friday 14 January 2005 06:06 am, Faisal Khan wrote:
Folks,
Two quick questions.
When IP (Source) addresses are spoofed, is there no way of determining
(a) that the IP Source Addresses is spoofed and not the genuine one
(b) to be able to determine the actual IP address that is sending DoS
packets?
Somehow I get the feeling I'm SOL when trying to find out the
"genuine/actual" source IP address.
If this is the case, then pretty much we all are helpless with
DoS/DDoS attacks - considering one can write a script/program to keep
incrementing or randomly assigning spoofed source addresses in the DoS
packets being sent out.
Faisal
I can't think of a way of reversing the process, the experiments I've done
with spoofed ip's have been done in C using raw sockets, some folks tried
with python, the language is indiferent, but what you do is alter the header
of the packet, and tell the kernel of the OS that there's no need to add a
header to the packet you're sending, then the kernel just place the packet
on the net with the data you filled in.
The main thing of a spoofed ip packet it's that you can fill the fields with
any info you want (of course it's important the checksum matches, this is
one way you could know if the packet is spoofed, and if it's not and the
checksum does not match, there's an error, so one way or another you should
get rid of the packet), check this with ethereal or another protocol
analyzer.
In theory it should be no way of knowing what's the real source address
(It's not like an smtp 'spoof' that you play with some rcpt to/mail from
commands and you have the email headers added by the MTA), if you think
about it a little bit, we're indeed helpless with DoS/DDoS attacks, if by
that you mean syn floods and that kind of stuff, and if you dig deeper,
you'll find out that if the operating system is in charge of stamping the ip
address to a packet and the OS itself it's sufficiently flexible to let you
do that from userspace, this is not considered a flaw, but a gift, the main
problem is that not all people is this gift the way they should.
--
Saludos.
Nazareno Vicente Feito
