IW: Tools Stunt DoS Attacks
Andrew Alston
andrew at security.za.net
Thu Feb 8 23:08:54 PST 2001
If the attacker has a large number of slave machines, each machine is
spoofing from 1000 addresses (I.E sending 1000 packets each one from a
different address, and then cycling these addresses or generating another
1000 different addresses), it becomes VERY VERY difficult to block.
Look at it this way...
1000 machines, each sending 1000 packets, from 1000 spoofed addresses, each
packet is 8k big...
7812meg is therefore sent in payload size (as with my example code), per
cycle, from a total of 1 million addresses.
Because each packet is a SYN packet, probably aimed for a legit opened port
(like port 80) and it looks like a standard normal start of a connect, the
firewall will never block these packets, if the firewall DOES attempt to
auto shun these packets at the address level, the firewall will attempt to
insert 1 million rules in the space on under 5 minutes, its almost sure to
fall over. If the firewall doesnt fall over and DOES succeed in these rule
insertions, it will have effectively blocked a fairly major part of the
internet from ever accessing your server that is being DoS'ed.
With 1000 machines, each sending 10 8k packets per second (80k/sec), you are
running at 80000k/sec, that is to say almost 80gigabit, enough to kill an
OC-48 dead in the water.
At this point, to stop and block and trace is almost impossible, and there
are still PLENTY of places you can send spoofed packets from that arent
blocking these things, besides, if you block them, unless you block them
VERY high up, your ISP is gonna be dead in the water anyway and your
blockage is gonna do nothing to stop it anyway
If anyone has other opinions on what Ive said above, please let me know :)
Thanks
Andrew
-----Original Message-----
From: owner-cypherpunks at minder.net
[mailto:owner-cypherpunks at minder.net]On Behalf Of Bill Stewart
Sent: Friday, February 09, 2001 4:46 AM
To: cypherpunks at cyberpass.net
Subject: Re: CDR: Re: IW: Tools Stunt DoS Attacks
At 05:16 PM 2/7/01 +0100, Lars Gaarden wrote:
>Andrew Alston wrote:
>> Basically, people who claim to be able to stop DDOS/trace DDOS/etc etc I
>> believe are playing on the public, making money out of a situation that
>> unfortunatly has no end in site, due to the fuckups made in the IP
>> protocol by the department of defense when they released the RFC.
>
>Spoofed source-addresses can be (and often are) blocked at the
>access ISP. RFC 2267, Ingress filtering.
>
>DDOS trojans on ISDN/xDSL/Cable home user boxes will have to use
>their real (or at least same subnet) source addresses on datagrams,
>or run the risk of having the traffic dropped silently at the first
>router.
Most DDOS attacks forge their source address, changing between
large numbers of forged addresses, so the site under attack can't
defend itself by blocking the addresses that attack it.
If a Bad Guy has thousands of slave machines, they can still
launch a big attack, but if they need to use their own addresses,
the target can block the attackers (still not easy for large numbers,
but at least it's possible.)
Thanks!
Bill
Bill Stewart, bill.stewart at pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
More information about the cypherpunks-legacy
mailing list