Re: syn attack and source routing

[Alexis Rosen <alexis () panix com>]

(Again, sorry for the delay responding.)

Paul A Vixie writes:
> > Or better yet, the ICMP TRACEROUTE message, which would go
> > hop by hop and on every hop generates a response message.
> > Augmented with PROXY TRACEROUTE which will cause the destination
> > box to send out the ICMP TRACEROUTE.
>
> This would be bad.  Remembering back to the dim prehistory of time, when
> [...]

I'm very surprised that noone has mentioned what seems to me to be the
*really* serious drawback to this scheme. Remember how much grief you had
the last time someone did a news sendsys forged to your name? (If it's
never happened to you, be glad...) This sort of attack got so bad that
the default setup these days is to ignore sendsys.

The principle's the same here. What's to stop me from forging TRACEROUTEs
which cause many response packets to be sent to my victim for each single
packet I send out?  I'd have an easy way to multiply my effective bandwidth
for simple DoS bandwidth attacks. Even an idiot with a 28.8 modem could
wind up doing some serious damage.

/a

---
Alexis Rosen   Owner/Sysadmin,
PANIX Public Access Unix & Internet, NYC.
alexis () panix com
- - - - - - - - - - - - - - - - -