Firewall Wizards mailing list archives

Re: Blitzkrieg Server -- For Real?!

From: tqbf () secnet com
Date: Tue, 12 May 1998 00:21:53 -0500 (CDT)

source IP addresses. Unless _every_ router from the attacker keeps a 
complete traffic log, _including_ the port/line from which a particular 
packet was received, it is not possible to trace such a spoof back after 
the fact. (It is extremely hard to do _while_ it is happening; compare to


This is not (specifically, in point of technical fact) true. It is
possible for a cooperating path of routers to trace back IP traffic
without logging all of it; I would not expect reasonably reliable (in
terms of ratio of successful traces to failures) to be difficult to
implement if the world agreed on a protocol to do so.

Protocols that allow routers to cooperatively trace back IP packets are
already in development. In order to implement something like this, all you
would need would be some appropriately sized cache of (address, interface)
tuples. Within some window of time, it would be possible to query the
router for the physical interface (or, more likely, the next-hop back)
associated with any given packet received from it.

There are already Perl scripts that (very crudely) force chains of routers
to "cooperate" using their enable passwords and debugging interfaces.

I'm just posting this to clear up any misunderstandings that anyone might
have received about how feasable it is to trace IP traffic; I don't think
we know enough about the subject to say conclusively whether it's
feasable. However, the assumption that persistant logging would be
required to do it probably isn't true.

Of course, this has no bearing whatsoever on that idiotic press
announcement about the "Blitzkrieg" server. No real commercial
organizations with brains enough to retain an attorney would be dumb
enough to design and produce software that launched counterattacks.

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf    "If you're so special, why aren't you dead?"

Current thread:

Blitzkrieg Server -- For Real?! arager (May 07)
- Re: Blitzkrieg Server -- For Real?! David C Niemi (May 09)
- Re: Blitzkrieg Server -- For Real?! Kinczli Zoltan (May 09)
- Re: Blitzkrieg Server -- For Real?! ( LONG ) Nick Drage (May 09)
  - Re: Blitzkrieg Server -- For Real?! ( LONG ) Mike Bresina (May 10)
- Re: Blitzkrieg Server -- For Real?! Rick Smith (May 09)
- <Possible follow-ups>
- RE: Blitzkrieg Server -- For Real?! Stout, William (May 09)
- Re: Blitzkrieg Server -- For Real?! dharris (May 09)
- RE: Blitzkrieg Server -- For Real?! Catherine Francis (May 11)
  - Re: Blitzkrieg Server -- For Real?! tqbf (May 13)
- RE: Blitzkrieg Server -- For Real?! Safier, Adam (GEIS) (May 11)
- RE: Blitzkrieg Server -- For Real?! Vin McLellan (May 13)
- Re: Blitzkrieg Server -- For Real?! David Kennedy CISSP (May 18)