RE: [iwar] re: DDOS attacks

From: St. Clair, James (JStClair@vredenburg.com)
Date: 2001-06-07 10:07:47


Return-Path: <JStClair@vredenburg.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 07 Jun 2001 10:08:12 -0700 (PDT)
Received: (qmail 8409 invoked by uid 510); 7 Jun 2001 16:08:15 -0000
Received: from restonpo.vredenburg.com (64.242.205.4) by 204.181.12.215 with SMTP; 7 Jun 2001 16:08:15 -0000
Received: by RESTONPO with Internet Mail Service (5.5.2653.19) id <K6W7MY2G>; Thu, 7 Jun 2001 13:07:34 -0400
Message-ID: <B30A25E2D1D2D1118021006097C3AC63C98064@CCOPO>
From: "St. Clair, James" <JStClair@vredenburg.com>
To: "'fc@all.net'" <fc@all.net>
Subject: RE: [iwar] re: DDOS attacks
Date: Thu, 7 Jun 2001 13:07:47 -0400 
Return-Receipt-To: "St. Clair, James" <JStClair@vredenburg.com>
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"

FYI, form this week's SANS newsbites...

"- From time to time a "must read" document is published. Steve Gibson,
author of ShieldsUp! and one of the gurus of Windows security lived
through a major distributed denial of service attack and traced the
attackers. He wrote an extremely readable tutorial on it.  It's long,
and worth every minute.  Just one of his many interesting tidbits:
Windows 2000 and XP, unlike their predecessors, have enormous capacity
to generate malicious Internet traffic with spoofed IP addresses.
http://grc.com/dos/grcdos.htm"

Shouldn't Alan Paller know better? Who ARE the real experts...?

Jim St.Clair
Critical Infrastructure Protection
Vredenburg
(703) 412-4611


-----Original Message-----
From: Fred Cohen [mailto:fc@all.net]
Sent: Wednesday, June 06, 2001 7:28 AM
To: iwar@yahoogroups.com
Subject: Re: [iwar] re: DDOS attacks


Per the message sent by David Alexander:

> >Do these capture some quick and easy steps?

> 1. Those steps, to design IP filters, are not easy or quick unless you
have
> a lot of knowledge in those areas.

On the other hand I published an article in 1996 that described
precisely how to do this and even provides sample configuration
files for some firewall I was using at the time.

> 2. By putting those filters in place you effectively reduce the
> functionality of your own services by closing certain doors.

The ONLY thing you reduce is the ability to forge things.  No other
effect on services occurs.

> 3. Read the following (long, but very good) article, which explains why
you
> cannot maintain full connectivity and service against a well-planned and
> technically competent DDOS attacker, no matter what you do.

> http://grc.com/dos/grcdos.htm

> Sorry. I wish it were otherwise.

Your wish has come true.  It is otherwise.  Steve Gibson is not as much
of an expert as he thinks he is and you are giving him too much credit.

1) If the filters that prevent forgery were widely used NONe of these
packets would have gotten anywhere close to their target.

2) If the defender had the ability to flex IP addresses of his servers
the attacks would have fallen on out-of-use IP addresses within seconds
to minutes of starting.

3) The supposed sources of the attacks could have been traced if it was
important enough to do it.

4) His is probably right about the FBI and his ISP - they are unlikely
to help.

Don't believe everything you read.

FC

--
Fred Cohen at Sandia National Laboratories at tel:925-294-2087
fax:925-294-1225
  Fred Cohen & Associates: http://all.net - fc@all.net -
tel/fax:925-454-0171
      Fred Cohen - Practitioner in Residence - The University of New Haven
   This communication is confidential to the parties it is intended to
serve.
	PGP keys: https://all.net/pgpkeys.html - Have a great day!!!

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:16 PDT