Security Incidents mailing list archives

Re: DDoS Attack

From: Justin Pryzby <justinpryzby () users sourceforge net>
Date: Wed, 28 May 2003 13:16:55 -0400

Oops, rereading one of my last posts, I said

FWIW, IP's *may* be spoofed, even if you are seeing a tcp 3-way init.
It depends on how your server machine generates the IP sequence numbers.
`nmap -v` is a good gauge of how cryptographically strong it is.


What I MEANT was TCP sequence numbers, not IP ID numbers.  Sequence
numbers are supposed to be highly random.  The IP ID number is just a
unique identifier of communication between two hosts over a given
protocol.  It exists so that (for example) a webserver can serve a
client multiple pages concurrently.  The IP ID number cannot be used to
provide any kind of security.  It seems different OSs even use widely
differert schemes to decide when to increment it and when to use
an entirely different number.

As I understand, beginning an attack with an arbitrary IP ID number
would work fine, as long as the TCP sequence numbers were right.  The
target host would just think that lots of packets had gotten lost ...

Correct me if I'm wrong,
Justin Pryzby

----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

DDoS Attack Steven Shepherd (May 22)
- Re: DDoS Attack Sebastian Jaenicke (May 23)
- Re: DDoS Attack lists (May 23)
- RE: DDoS Attack Jonathan A. Zdziarski (May 23)
- Re: DDoS Attack Tim Greer (May 23)
- Re: DDoS Attack Angelz (May 23)
- <Possible follow-ups>
- RE: DDoS Attack Whiteside, Larry [contractor] (May 23)
- Re: DDoS Attack Justin Pryzby (May 23)
- Re: DDoS Attack Andrew Anderson (May 23)
- Re: DDoS Attack Justin Pryzby (May 25)
- Re: DDoS Attack Justin Pryzby (May 29)
  - RE: DDoS Attack David Gillett (May 29)