From: Rainer Duffner (rainer@ultra-secure.de)
Date: Fri Jan 14 2005 - 12:44:16 EST
Faisal Khan wrote:
>
>
> Folks,
>
> Two quick questions.
>
> When IP (Source) addresses are spoofed, is there no way of determining
> (a) that the IP Source Addresses is spoofed and not the genuine one
> (b) to be able to determine the actual IP address that is sending DoS
> packets?
>
> Somehow I get the feeling I'm SOL when trying to find out the
> "genuine/actual" source IP address.
>
I think the problem is that nowadays, it's not one (1!) IP, but possibly
thousands of zombies - commanded by master-servers that don't directly
attack you and thus are invisible to you.
Trying to trace them is probably an exercise in futility.
> If this is the case, then pretty much we all are helpless with
> DoS/DDoS attacks - considering one can write a script/program to keep
> incrementing or randomly assigning spoofed source addresses in the DoS
> packets being sent out.
I haven't looked into this for some time, but last time I heard about
this, someone said that the ISP must trace through which
interface/router/linecard the packets actually come through - and then
ask his upstream to do the same (and so on).
But perhaps, there's a more clever alternative these days.
cheers,
Rainer
-- =================================================== ~ Rainer Duffner - rainer@ultra-secure.de ~ ~ Freising - Munich - Germany ~ ~ Unix - Linux - BSD - OpenSource - Security ~ ~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~ ===================================================
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:13 EDT