RE: DoS Attackers using only udp and icmp protocol?

["Lehman, Jim" <JLehman () mail esignal com>]

Could this the result of a spoofed IP source smurf attack or some other
amplification attack?

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of krymson () gmail com
Sent: Friday, February 09, 2007 12:16 PM
To: security-basics () securityfocus com
Subject: Re: DoS Attackers using only udp and icmp protocol?

TCP DoS attacks are quite common, especially SYN floods. Because systems
listening on TCP for the 3-way handshake have a time-out while they wait
for the completion of the handshake after a SYN is first received, you
can exhaust resources on the system be flooding lots of SYNs and just
not completing the handshake. You could even complete the handshake and
flood that way as well.

I will throw an opinion out that might be wrong, but I feel TCP-related
floods tend to be aimed at exhausting TCP-listening resources on a
target. UDP and ICMP floods tend to also target saturation of the
target's network bandwidth.


<- snip ->

I have monitored that some DoS attack which generates large bps(over
1Gbps) 
against my network.
and I can see that all dos related packets are udp and icmp not tcp.

In the point of view attacker, 
Is it impossible that generates lots of packets and large packets using
tcp 
without 3 way handshake?


DISCLAIMER: This message (including any files transmitted with it) may contain confidential and / or proprietary 
information, is the property of Interactive Data Corporation and / or its subsidiaries and is directed only to the 
addressee(s). If you are not the designated recipient or have reason to believe you received this message in error, 
please delete this message from your system and notify the sender immediately. An unintended recipient's disclosure, 
copying, distribution or use of this message, or any attachments, is prohibited and may be unlawful.