RE: Why bandwidth consuming ddos attack using only udp or icmp?

["Murda Mcloud" <murdamcloud () bigpond com>]

> > What I would like to know is that some data included spoofed tcp packets
> > without 3 way handshake is possible or not?
Do you mean a syn flood?
I think that's what you're talking about.

> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On Behalf Of MontyRee
> > Sent: Sunday, March 02, 2008 10:47 AM
> > To: security-basics () securityfocus com; brian.bevers () gmail com;
> > ajay () printwire org
> > Subject: RE: Why bandwidth consuming ddos attack using only udp or icmp?
> >
> >
> > Thanks again for your answer.
> > I know already the difference of tcp and other stateless protocol.
> >
> > What I would like to know is that some data included spoofed tcp packets
> > without 3 way handshake is possible or not?
> > Is it impossible?
> >
> >
> > Regards.
> >
> >
> >
> > > Sending huge data on TCP would require the TCP handshake be completed
> > > first. If the connection was initiated using a spoofed source IP, then
> > how
> > > would the handshake complete. If real IP is used in order to complete
> > the
> > > handshake, then the source identity (IP) is revealed.
> >
> > > Ajay Tikoo
> >
> >
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On
> > Behalf Of MontyRee
> > Sent: Saturday, March 01, 2008 9:15 AM
> > To: gillettdavid () fhda edu; security-basics () securityfocus com
> > Subject: RE: Why bandwidth consuming ddos attack using only udp or icmp?
> >
> >
> > Thanks for your answer.
> >
> >
> > Sorry for my poor english.
> > what I would like to know is why ddos attacker don't using tcp for
> > bandwidth consuming attack?
> >
> > for example, attacker can create some data included spoofed tcp packet,
> > so he can send lots of tcp packets toward to the port 80/tcp of the
> > victim
> > like syn flooding attack.
> >
> > but I didn't see any ddos traffic like this.
> >
> > If I'm a attacker, this attack(data included spoofed tcp packet) would be
> > more effective than udp or icmp, because this protocol can be filtered at
> > the router by the policy.
> > and syn flooding can be filtered by the syncookies, I think.
> > and data included tcp packet toward to port 80 can't be filtered by the
> > router, right?
> >
> >
> >
> > Thanks for your help.
> >
> >
> > > From: gillettdavid () fhda edu
> > > To: chulmin2 () hotmail com; security-basics () securityfocus com
> > > Subject: RE: Why bandwidth consuming ddos attack using only udp or
> > icmp?
> > > Date: Fri, 29 Feb 2008 08:51:25 -0800
> > >
> > > > So, some network administrator said that he filtered all udp
> > > > and icmp just against the bandwidth consuming ddos attack at
> > > > the border router.
> > > > (Surely some problems would be happen..dns..somethinf like that)
> > >
> > > Presumably he made an exception for DNS, and perhaps NTP.
> > >
> > > Note that the bandwidth bottleneck is typically outside the border
> > router,
> > > so filters on that router only apply after the bandwidth has been
> > > consumed....
> > >
> > > > Is it impossible or ineffective using tcp for bandwidth
> > > > consuming attack in the point of attacker?
> > > > anyone who saw the bandwidth consuming attack using tcp?
> > >
> > > It's not impossible, but it's extra work, and reveals the attacker's IP
> > > address to anyone who detects the attack. (Or at least one or more
> > > addresses under the attacker's control.)
> > >
> > > In your case, the TCP portion of the attack is probably trying to
> > > exhaust half-open connection entries (SYN flood) rather than bandwidth.
> > > He can use spoofed source addresses for that.
> > >
> > > David Gillett
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: listbounce () securityfocus com
> > > > [mailto:listbounce () securityfocus com] On Behalf Of MontyRee
> > > > Sent: Thursday, February 28, 2008 6:52 PM
> > > > To: security-basics () securityfocus com
> > > > Subject: Why bandwidth consuming ddos attack using only udp or icmp?
> > > >
> > > >
> > > >
> > > > Hello, list.
> > > >
> > > > I have operated network in my company and recently I have
> > > > experienced some ddos attack(inbound) on my network.
> > > >
> > > > It seems that the ddos attack was divided in two
> > > >
> > > > first, the bandwidth consuming attack was all consist of udp
> > > > or icmp using big size packet(about 1500 byte).
> > > > second tcp based attack for example http(80/tcp) is mostly
> > > > creates lots of pps using small size packet(about 40 byte )
> > > >
> > > > So, some network administrator said that he filtered all udp
> > > > and icmp just against the bandwidth consuming ddos attack at
> > > > the border router.
> > > > (Surely some problems would be happen..dns..somethinf like that)
> > > >
> > > > and I have one question.
> > > >
> > > > Is it impossible or ineffective using tcp for bandwidth
> > > > consuming attack in the point of attacker?
> > > > anyone who saw the bandwidth consuming attack using tcp?
> > > >
> > > >
> > > > Thanks in advance.
> > > >
> > > > _________________________________________________________________
> >
> > _________________________________________________________________
> > 나의 글로벌 인맥, Windows Live Space!
> > http://www.spaces.live.com