Re: [iwar] re: DDOS attacks

From: Fred Cohen (
Date: 2001-06-06 04:28:04

Return-Path: <>
Received: from by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 06 Jun 2001 04:29:07 -0700 (PDT)
Received: (qmail 21013 invoked by uid 510); 6 Jun 2001 10:29:16 -0000
Received: from ( by with SMTP; 6 Jun 2001 10:29:16 -0000
Received: from [] by with NNFMP; 06 Jun 2001 11:28:06 -0000
Received: (EGP: mail-7_1_3); 6 Jun 2001 11:28:04 -0000
Received: (qmail 83371 invoked from network); 6 Jun 2001 11:28:04 -0000
Received: from unknown ( by with QMQP; 6 Jun 2001 11:28:04 -0000
Received: from unknown (HELO ( by mta1 with SMTP; 6 Jun 2001 11:28:04 -0000
Received: (from fc@localhost) by (8.9.3/8.7.3) id EAA29798 for; Wed, 6 Jun 2001 04:28:04 -0700
Message-Id: <>
In-Reply-To: <> from "David Alexander" at Jun 06, 2001 09:56:22 AM
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <>
Mailing-List: list; contact
Delivered-To: mailing list
Precedence: bulk
List-Unsubscribe: <>
Date: Wed, 6 Jun 2001 04:28:04 -0700 (PDT)
Subject: Re: [iwar] re: DDOS attacks
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Per the message sent by David Alexander:

> >Do these capture some quick and easy steps?

> 1. Those steps, to design IP filters, are not easy or quick unless you have
> a lot of knowledge in those areas.

On the other hand I published an article in 1996 that described
precisely how to do this and even provides sample configuration
files for some firewall I was using at the time.

> 2. By putting those filters in place you effectively reduce the
> functionality of your own services by closing certain doors.

The ONLY thing you reduce is the ability to forge things.  No other
effect on services occurs.

> 3. Read the following (long, but very good) article, which explains why you
> cannot maintain full connectivity and service against a well-planned and
> technically competent DDOS attacker, no matter what you do.


> Sorry. I wish it were otherwise.

Your wish has come true.  It is otherwise.  Steve Gibson is not as much
of an expert as he thinks he is and you are giving him too much credit.

1) If the filters that prevent forgery were widely used NONe of these
packets would have gotten anywhere close to their target.

2) If the defender had the ability to flex IP addresses of his servers
the attacks would have fallen on out-of-use IP addresses within seconds
to minutes of starting.

3) The supposed sources of the attacks could have been traced if it was
important enough to do it.

4) His is probably right about the FBI and his ISP - they are unlikely
to help.

Don't believe everything you read.


Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
  Fred Cohen & Associates: - - tel/fax:925-454-0171
      Fred Cohen - Practitioner in Residence - The University of New Haven
   This communication is confidential to the parties it is intended to serve.
	PGP keys: - Have a great day!!!


Your use of Yahoo! Groups is subject to 

This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:15 PDT