Penetration Testing mailing list archives

Re: DoS/DDoS Attack

From: seditiosus <seditiosus () gmail com>
Date: Fri, 14 Jan 2005 13:26:55 -0500

Correct me if I am wrong, but, I understand that the MAC address is
left unchanged and can be used to identify the source.

On Fri, 14 Jan 2005 14:09:40 +0000, Nazareno Vicente Feito
<nvfeito () advancedsl com ar> wrote:

On Friday 14 January 2005 06:06 am, Faisal Khan wrote:

Folks,

Two quick questions.

When IP (Source) addresses are spoofed, is there no way of determining (a)
that the IP Source Addresses is spoofed and not the genuine one (b) to be
able to determine the actual IP address that is sending DoS packets?

Somehow I get the feeling I'm SOL when trying to find out the
"genuine/actual" source IP address.

If this is the case, then pretty much we all are helpless with DoS/DDoS
attacks - considering one can write a script/program to keep incrementing
or randomly assigning spoofed source addresses in the DoS packets being
sent out.

Faisal


I can't think of a way of reversing the process, the experiments I've done
with spoofed ip's have been done in C using raw sockets, some folks tried
with python, the language is indiferent, but what you do is alter the header
of the packet, and tell the kernel of the OS that there's no need to add a
header to the packet you're sending, then the kernel just place the packet on
the net with the data you filled in.
The main thing of a spoofed ip packet it's that you can fill the fields with
any info you want (of course it's important the checksum matches, this is one
way you could know if the packet is spoofed, and if it's not and the checksum
does not match, there's an error, so one way or another you should get rid of
the packet), check this with ethereal or another protocol analyzer.
In theory it should be no way of knowing what's the real source address (It's
not like an smtp 'spoof' that you play with some rcpt to/mail from commands
and you have the email headers added by the MTA), if you think about it a
little bit, we're indeed helpless with DoS/DDoS attacks, if by that you mean
syn floods and that kind of stuff, and if you dig deeper, you'll find out
that if the operating system is in charge of stamping the ip address to a
packet and the OS itself it's sufficiently flexible to let you do that from
userspace, this is not considered a flaw, but a gift, the main problem is
that not all people is this gift the way they should.

--

Saludos.
Nazareno Vicente Feito

Current thread:

OWASP NYC CHAPTER MEETING - JANUARY 25 Stan Guzik (Jan 07)
- Message not available
  - Windows based DoS Tools? Faisal Khan (Jan 10)
    - RE: Windows based DoS Tools? rzaluski (Jan 10)
    - Message not available
    - RE: Windows based DoS Tools? Faisal Khan (Jan 11)
    - Re: Windows based DoS Tools? Jules Rogers (Jan 12)
    - Re: Windows based DoS Tools? Don Bailey (Jan 13)
    - DoS/DDoS Attack Faisal Khan (Jan 14)
    - Re: DoS/DDoS Attack Nazareno Vicente Feito (Jan 14)
    - Message not available
    - Re: DoS/DDoS Attack seditiosus (Jan 14)
    - Re: DoS/DDoS Attack Steve Friedl (Jan 15)
    - Re: DoS/DDoS Attack Alexander Klimov (Jan 15)
    - RE: DoS/DDoS Attack Alex R (Jan 15)
    - RE: DoS/DDoS Attack Edward Sohn (Jan 14)
    - Message not available
    - RE: DoS/DDoS Attack Faisal Khan (Jan 15)
    - Re: DoS/DDoS Attack Erik A. Onnen (Jan 17)
    - Re: DoS/DDoS Attack Steven (Jan 17)
    - Re: DoS/DDoS Attack Rogan Dawes (Jan 17)
    - RE: DoS/DDoS Attack Jerry Shenk (Jan 20)
    - Re: DoS/DDoS Attack Barrie Dempster (Jan 20)

(Thread continues...)