Re: Internet SYN Flooding, spoofing attacks

To: IETF at ietf.org
Subject: Re: Internet SYN Flooding, spoofing attacks
From: Leonid Yegoshin <egoshin at genesyslab.com>
Date: Tue, 15 Feb 2000 16:45:38 -0800

>From: Vernon Schryver <vjs at calcite.rhyolite.com>
>
>> ...
>> The basic idea then would be to trace back bad packets that
>> conform to some typically innocent, but occasionally troublesome,
>> profiles.  The profiles will become self-evident with experience,
>> and once people know they will be caught by this traceback
>> system they will think twice before spreading their crap around.
>
>If I were building a DDoS engine today, I'd write a conventional
>(Microsoft) DOS virus that does nothing except once every 3 minutes do
>the equivalent of:
>
>    echo "GET /index.html HTTP/1.0"; echo) | telnet -r $1 80
>
>(maybe instead with a random request instead of /index.html)
>
>After a few 1,000,000 desktops have been infected by familiar virus
>vectors, the victim might notice the traffic.
>How would you filter for them?  Even if you could give routers
>enough processing power, what would you learn from the filtering
>that you'd care to apply?

  It is possible to get more big bang in this case: virus may asks
DNS servers about some generated domain names. Algoritm to fight
negative caching effect is simple. With millions names in .com
there is a long way to keep asking.

			       - Leonid Yegoshin, LY22

Prev by Date: Re: IETF Adelaide and interim meetings for APPS WGs
Next by Date: Re: IETF Adelaide and interim meetings for APPS WGs
Previous by thread: Re: Internet SYN Flooding, spoofing attacks
Next by thread: Re: Internet SYN Flooding, spoofing attacks
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Internet SYN Flooding, spoofing attacks

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.