DDos syn attack

• Previous message (by thread): DDos syn attack
• Next message (by thread): DDos syn attack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

AV> Date: Wed, 1 Jan 2003 19:30:00 -0800 (PST)
AV> From: Avleen Vig


AV> Tracing back an IP from bind logs to see which name servers
AV> looked up an attacked address immediately before the attack
AV> started. This at leads to the offender's ISP which is a good
AV> start.

1) <x> compromised hosts form a botnet via IRC
2) A human gives the command to start the attack
3) One of the compromised hosts performs the DNS lookups
4) Destination IP is returned to the channel
5) Random delay
6) Attack begins
7) Repeat steps 3-6

I don't see how "tagging" or changing IP addresses does much to
mitigate a botnet (a DDoS has to be coordinated somehow) attack.


<wolkenkuckucksheim>

Let DNS return a token that expires after <x> seconds, a la KRB
tickets or SSH.  When requesting a connection, the ticket is
presented as one of the IP options.  The ticket space should be
sparse enough to expose brute-force guessing attempts.

Those of us who like typing IP addresses would need an alternate
mechanism and/or to change our behavior.  One paragraph of random
rambling can't solve all the Internet's problems. ;-)

</wolkenkuckucksheim>


Anyone interested in website or email that can only be viewed by
people who have installed a new, improved IP stack?  (Looking at
the number of Codered/Nimda/etc. scans in logs, something tells
me protocol modifications are out...)

#include <technical-vs-social.h>
#include <how-much-of-the-internet-are-we-willing-to-ignore.h>

Is the problem technical or social?  If it were mostly the
former, I think we'd have made much more progress by now.


I hope IPv6 is has the right features and works well.  IPv4 is
badly entrenched; IPv6 will be worse.  (And, please, I don't need
any kooky messages about IPv8 or IPv16 like the ones I sometimes
get after posting.)


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist at brics.com>
To: blacklist at brics.com
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist at brics.com>, or you are likely to
be blocked.

• Previous message (by thread): DDos syn attack
• Next message (by thread): DDos syn attack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]