Home page logo

nanog logo nanog mailing list archives

Re: WANTED: ISPs with DDoS defense solutions
From: Michael.Dillon () radianz com
Date: Wed, 6 Aug 2003 10:15:18 +0100

How would the spoofing program, or its user, be able to tell if
it was successful?  Unless I'm very confused, the definition of
spoofing is that the return packets aren't going to come back to you.

the whole thing would have to take place during a tcp control session
which used d-h to scramble itself, sort of the same way ssh does. 

Diffie-Hellmann is a bit overkill.

It's simpler to have the client open a TCP connection to the server, 
retrieve a token which is just some reasonable number of random bits like 
64, then send the token back in a set of UDP packets using spoofed 
addresses, then pause for a second or two and ask the server (through the 
TCP connection) whether it saw the spoofed packets. Three UDP packets 
should be enough to eliminate most packet loss scenarios and the spoofed 
address could be chosen by munging the first octet to a number from 44 to 

That's enough for the server to collect stats and to provide a status 
report to the client.

If the client is behind a NAT, and the spoofed source address doesn't get 
through, then that's OK because it means that no application in that same 
location behind the NAT can use spoofed addresses.

--Michael Dillon

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]