Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DoS/DDoS Attack

From: Rainer Duffner <rainer () ultra-secure de>
Date: Fri, 14 Jan 2005 18:44:16 +0100
Faisal Khan wrote:




Folks,

Two quick questions.
When IP (Source) addresses are spoofed, is there no way of determining (a) that the IP Source Addresses is spoofed and not the genuine one (b) to be able to determine the actual IP address that is sending DoS packets?
Somehow I get the feeling I'm SOL when trying to find out the "genuine/actual" source IP address.
I think the problem is that nowadays, it's not one (1!) IP, but possibly thousands of zombies - commanded by master-servers that don't directly attack you and thus are invisible to you. 
Trying to trace them is probably an exercise in futility.
If this is the case, then pretty much we all are helpless with DoS/DDoS attacks - considering one can write a script/program to keep incrementing or randomly assigning spoofed source addresses in the DoS packets being sent out.
I haven't looked into this for some time, but last time I heard about this, someone said that the ISP must trace through which interface/router/linecard the packets actually come through - and then ask his upstream to do the same (and so on). 
But perhaps, there's a more clever alternative these days.



cheers,
Rainer

--
===================================================
~     Rainer Duffner - rainer () ultra-secure de     ~
~           Freising - Munich - Germany           ~
~    Unix - Linux - BSD - OpenSource - Security   ~
~  http://www.ultra-secure.de/~rainer/pubkey.pgp  ~
===================================================
Previous By Date Next
Previous By Thread Next

Current thread: