Re: The Art of Unspoofing

[Sean Trifero <sean () innu org>]

Euan said:
> This is just simplistic, ill conceived rubbish.

Don't tell us what you really think...

> There is absolutely no way to guarantee that you are "tracking down"
> the correct IP or the correct person.

You're right.  I should have put that in the disclaimer, but we thought
that the average person would understand that from the start.

> Is it safe to assume an attacker is going to use the generic public
> smurf.c tool etc, is it safe to assume the attacker is going to use
> traceroute or ping to test if the victim host is alive? Is it safe to
> assume the attacker wont use blind spoofed IP ID techniques or
> some other method to test if the victim host is alive? No.

Is it safe to assume that every attacker has thought out the attack as
much as you just have?  I'm not sure what type of DoS attacks you've seen
impact your network in your days... but from my experience, I can say that
at least one of those assumptions has been present in 95% of the DoS
attacks I have encountered, but that's just lil ol' me.

> Whats to stop an attacker spoofing dns lookups and pings from
> another host in order to incriminate it?

Would your average ./attacker have thought to spoof the dns querys, or
randomize the ttl before we wrote this paper?  Nope, didn't think so...
kthx.

> What it comes down to is - it is  easy  for a semi-intelligent attacker
> to cause a denial of service attack that is completely untraceable from
> the target side, grasping at straws like this wont do much good atall
> except waste a lot of your time.

What it comes down to is - we realized that when we published this article
that as soon as the information was known, that most if not all the
techniques would be obsolete.  Knowing this put me in a sticky situation
about even disclosing it in the first place.  In the end I decided to
release it anyways, and I knew it's release would get a few well thought
out posts like yours.

Sean Trifero
Security Technologies