Re: Naptha - New DoS

[Damian Menscher <menscher () uiuc edu>]

On Mon, 11 Dec 2000, AV wrote:
> Mon, 11 Dec 2000 09:47:54 +0100 Stephane Aubert wrote:
>
> > Overview of the attack
> > ======================
> >
> > This attack can be launched from several sources (such as ddos
> > infected computers or else) and use a very specific RESET server.
>
> [snip]
>
> > New idea:
> > ---------
> >
> > In order to consume resources on the victim ONLY and deny it, we use a
> > reset server to close the connection on the attacker side.
>
> Possibly, it's a good solution to use something similar to the traffic
> shaper, which should permit no more than MAX_CONN_PER_IP open
> connections from one given IP. I suppose, now it is a "must have"
> feature of every firewall. The only disadvantage I can suggest: the
> attacker may use more than one computer to launch the exploit, but
> finding an additional computer is much harder than a number of loop
> iterations.

You don't seem to understand exactly how the attack works.  *The
attacking IP does not exist.*  If the attacker has a lan that has 255
IPs, but only 100 are used, then they use one machine to spoof the
remaining 155 IPs, and another to resolve those connections.  Still just
two machines running the attack, but will get past your traffic shaper
if it just looks for multiple connections from a single IP.

Damian Menscher
--
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher () uiuc edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--