Return-Path: <JStClair@vredenburg.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 07 Jun 2001 10:08:12 -0700 (PDT) Received: (qmail 8409 invoked by uid 510); 7 Jun 2001 16:08:15 -0000 Received: from restonpo.vredenburg.com (64.242.205.4) by 204.181.12.215 with SMTP; 7 Jun 2001 16:08:15 -0000 Received: by RESTONPO with Internet Mail Service (5.5.2653.19) id <K6W7MY2G>; Thu, 7 Jun 2001 13:07:34 -0400 Message-ID: <B30A25E2D1D2D1118021006097C3AC63C98064@CCOPO> From: "St. Clair, James" <JStClair@vredenburg.com> To: "'fc@all.net'" <fc@all.net> Subject: RE: [iwar] re: DDOS attacks Date: Thu, 7 Jun 2001 13:07:47 -0400 Return-Receipt-To: "St. Clair, James" <JStClair@vredenburg.com> X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" FYI, form this week's SANS newsbites... "- From time to time a "must read" document is published. Steve Gibson, author of ShieldsUp! and one of the gurus of Windows security lived through a major distributed denial of service attack and traced the attackers. He wrote an extremely readable tutorial on it. It's long, and worth every minute. Just one of his many interesting tidbits: Windows 2000 and XP, unlike their predecessors, have enormous capacity to generate malicious Internet traffic with spoofed IP addresses. http://grc.com/dos/grcdos.htm" Shouldn't Alan Paller know better? Who ARE the real experts...? Jim St.Clair Critical Infrastructure Protection Vredenburg (703) 412-4611 -----Original Message----- From: Fred Cohen [mailto:fc@all.net] Sent: Wednesday, June 06, 2001 7:28 AM To: iwar@yahoogroups.com Subject: Re: [iwar] re: DDOS attacks Per the message sent by David Alexander: > >Do these capture some quick and easy steps? > 1. Those steps, to design IP filters, are not easy or quick unless you have > a lot of knowledge in those areas. On the other hand I published an article in 1996 that described precisely how to do this and even provides sample configuration files for some firewall I was using at the time. > 2. By putting those filters in place you effectively reduce the > functionality of your own services by closing certain doors. The ONLY thing you reduce is the ability to forge things. No other effect on services occurs. > 3. Read the following (long, but very good) article, which explains why you > cannot maintain full connectivity and service against a well-planned and > technically competent DDOS attacker, no matter what you do. > http://grc.com/dos/grcdos.htm > Sorry. I wish it were otherwise. Your wish has come true. It is otherwise. Steve Gibson is not as much of an expert as he thinks he is and you are giving him too much credit. 1) If the filters that prevent forgery were widely used NONe of these packets would have gotten anywhere close to their target. 2) If the defender had the ability to flex IP addresses of his servers the attacks would have fallen on out-of-use IP addresses within seconds to minutes of starting. 3) The supposed sources of the attacks could have been traced if it was important enough to do it. 4) His is probably right about the FBI and his ISP - they are unlikely to help. Don't believe everything you read. FC -- Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225 Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171 Fred Cohen - Practitioner in Residence - The University of New Haven This communication is confidential to the parties it is intended to serve. PGP keys: https://all.net/pgpkeys.html - Have a great day!!! ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:16 PDT