RE: [iwar] re: DDOS attacks

From: St. Clair, James (
Date: 2001-06-07 10:07:47

Return-Path: <>
Received: from by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 07 Jun 2001 10:08:12 -0700 (PDT)
Received: (qmail 8409 invoked by uid 510); 7 Jun 2001 16:08:15 -0000
Received: from ( by with SMTP; 7 Jun 2001 16:08:15 -0000
Received: by RESTONPO with Internet Mail Service (5.5.2653.19) id <K6W7MY2G>; Thu, 7 Jun 2001 13:07:34 -0400
Message-ID: <B30A25E2D1D2D1118021006097C3AC63C98064@CCOPO>
From: "St. Clair, James" <>
To: "''" <>
Subject: RE: [iwar] re: DDOS attacks
Date: Thu, 7 Jun 2001 13:07:47 -0400 
Return-Receipt-To: "St. Clair, James" <>
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"

FYI, form this week's SANS newsbites...

"- From time to time a "must read" document is published. Steve Gibson,
author of ShieldsUp! and one of the gurus of Windows security lived
through a major distributed denial of service attack and traced the
attackers. He wrote an extremely readable tutorial on it.  It's long,
and worth every minute.  Just one of his many interesting tidbits:
Windows 2000 and XP, unlike their predecessors, have enormous capacity
to generate malicious Internet traffic with spoofed IP addresses."

Shouldn't Alan Paller know better? Who ARE the real experts...?

Jim St.Clair
Critical Infrastructure Protection
(703) 412-4611

-----Original Message-----
From: Fred Cohen []
Sent: Wednesday, June 06, 2001 7:28 AM
Subject: Re: [iwar] re: DDOS attacks

Per the message sent by David Alexander:

> >Do these capture some quick and easy steps?

> 1. Those steps, to design IP filters, are not easy or quick unless you
> a lot of knowledge in those areas.

On the other hand I published an article in 1996 that described
precisely how to do this and even provides sample configuration
files for some firewall I was using at the time.

> 2. By putting those filters in place you effectively reduce the
> functionality of your own services by closing certain doors.

The ONLY thing you reduce is the ability to forge things.  No other
effect on services occurs.

> 3. Read the following (long, but very good) article, which explains why
> cannot maintain full connectivity and service against a well-planned and
> technically competent DDOS attacker, no matter what you do.


> Sorry. I wish it were otherwise.

Your wish has come true.  It is otherwise.  Steve Gibson is not as much
of an expert as he thinks he is and you are giving him too much credit.

1) If the filters that prevent forgery were widely used NONe of these
packets would have gotten anywhere close to their target.

2) If the defender had the ability to flex IP addresses of his servers
the attacks would have fallen on out-of-use IP addresses within seconds
to minutes of starting.

3) The supposed sources of the attacks could have been traced if it was
important enough to do it.

4) His is probably right about the FBI and his ISP - they are unlikely
to help.

Don't believe everything you read.


Fred Cohen at Sandia National Laboratories at tel:925-294-2087
  Fred Cohen & Associates: - -
      Fred Cohen - Practitioner in Residence - The University of New Haven
   This communication is confidential to the parties it is intended to
	PGP keys: - Have a great day!!!


Your use of Yahoo! Groups is subject to 

This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:16 PDT