Re: FW: Internet SYN Flooding, spoofing attacks

Date view Thread view Subject view Author view

From: Mark Baker (distobj@acm.org)
Date: Mon Feb 14 2000 - 20:34:32 PST


> As far as spoofing goes, in their SMURF mode, the only spoofing
>is the src_addr part of the ICMP echo that the slave systems send to
>their LOCAL broadcast address. That src_addr is the address of the
>system being attacked by ICMP_ECHOREPLY packets that simply consume all
>its bandwidth. Check out the analysis.
>
> Anti spoofing entry filters would have been of zero effect.

He could have at least pointed people here[1], where you can test networks
for their amplification ability. Beduin's host (conveyor.com) was used for
an attack in 98, and the recipient of that attack was kind enough to point
us there.

 [1] http://www.powertech.no/smurf/

MB


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Mon Feb 14 2000 - 21:30:56 PST