RE: Attacks on GRC.com

[Shwaine <shwaine () malevolence com>]

In the grad class I took last spring on Internet protocols and security,
this kind of attack was called a "reflective distributed denial 
of service attack".  There is plenty of research into how to trace 
forged packets back to their original source, called IP Traceback.
There is also a IETF working group on a type of IP Traceback called 
ICMP Traceback, http://www.ietf.org/html.charters/itrace-charter.
html.  

One issue with reflective DDoS attacks is that traditional IP Traceback 
protocols usually only send the itrace messages either to the destination 
IP or along with the packet, which means that the reflectors, not 
the victim, get the itrace messages about the path(s) to the actual 
attacker.  The topic came up in that class I took about perhaps sending 
the itrace messages to both the source and destination IPs, which 
would send itrace messages to the victim in reflective DDoS (since 
the spoofed source IP is the victim's along the path from the attacker 
to the reflector), but could also lead to increased traffic depending 
on implementation.  I am not sure if this idea is being researched 
at the moment.

Shwaine
--------------------------------------------------------------
http://www.malevolence.com              http://www.shwaine.com
telnet://shwaine.dyn.greystoneapts.com:3000








----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com