Bugtraq mailing list archives
Re: The Art of Unspoofing
From: Darren Reed <avalon () coombs anu edu au>
Date: Thu, 19 Sep 2002 12:11:33 +1000 (Australia/ACT)
In some mail from eric.prince () cox net, sie said: [...]
The Resolution Theory The idea is simple. Usually, when a denial of service attack is initiated against a target host, it's something like: # ./attack target.com In order to send the spoofed packets to target.com, the attackers nameserver has to resolve its domain name to an IP address, and only then can it inject the malicious packets. In theory, the nameservers for target.com will receive packets originating from the true source host of the attack or their nameserver.
[...] An adjunct to this is that nearly all applications will only ever resolve a hostname _once_. So if ./attack will start an attack that lasts for 8 hours (say) but our DNS TTL is only 1 hour, we can change the IP# of target.com and the attack can be deflected. How low do you go with a TTL in DNS so you can react in this manner without pushing too much work back on to DNS ? Don't know. I'm sure this is well know, though ? Darren
Current thread:
- The Art of Unspoofing eric.prince (Sep 18)
- Re: The Art of Unspoofing Darren Reed (Sep 19)
- <Possible follow-ups>
- Re: The Art of Unspoofing Euan (Sep 19)
- Re: The Art of Unspoofing Sean Trifero (Sep 20)