Security Incidents mailing list archives
Re: DDoS Attack
From: Justin Pryzby <justinpryzby () users sourceforge net>
Date: Wed, 28 May 2003 13:16:55 -0400
Oops, rereading one of my last posts, I said
FWIW, IP's *may* be spoofed, even if you are seeing a tcp 3-way init. It depends on how your server machine generates the IP sequence numbers. `nmap -v` is a good gauge of how cryptographically strong it is.
What I MEANT was TCP sequence numbers, not IP ID numbers. Sequence numbers are supposed to be highly random. The IP ID number is just a unique identifier of communication between two hosts over a given protocol. It exists so that (for example) a webserver can serve a client multiple pages concurrently. The IP ID number cannot be used to provide any kind of security. It seems different OSs even use widely differert schemes to decide when to increment it and when to use an entirely different number. As I understand, beginning an attack with an arbitrary IP ID number would work fine, as long as the TCP sequence numbers were right. The target host would just think that lots of packets had gotten lost ... Correct me if I'm wrong, Justin Pryzby ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- DDoS Attack Steven Shepherd (May 22)
- Re: DDoS Attack Sebastian Jaenicke (May 23)
- Re: DDoS Attack lists (May 23)
- RE: DDoS Attack Jonathan A. Zdziarski (May 23)
- Re: DDoS Attack Tim Greer (May 23)
- Re: DDoS Attack Angelz (May 23)
- <Possible follow-ups>
- RE: DDoS Attack Whiteside, Larry [contractor] (May 23)
- Re: DDoS Attack Justin Pryzby (May 23)
- Re: DDoS Attack Andrew Anderson (May 23)
- Re: DDoS Attack Justin Pryzby (May 25)
- Re: DDoS Attack Justin Pryzby (May 29)
- RE: DDoS Attack David Gillett (May 29)