I think that some DNS implementations and a Operating Systems (certainly Windows) ignore the Max TTL and impose their own TTL on cached matches. I suspect that this sort of forensic may be an interesting additional tool but a large amount of spoofed traffic won't be unspoofable because 1. The DNS info is cached for popular sites so the target doesn't see the DNS query 2. The attacker uses a random starting TTL 3. There's simply too much traffic to make the connection I'd love to see ISPs policing their own traffic - it would be relatively easy for them to validate the source IP at the point of ingress from the customer (they must know the range of valid IP Addresses because they have to route traffic there - there may be the odd customer that is also a BGP transit but special arrangements can be made). It's harder to test source IP Addresses once you get to transit links, although it's not impossible as the peering agreements should indicate the range of IP Addresses that will be coming from that network (you can use the BGP routing tables, in reverse) but this isn't a feature of current network hardware so it could only be managed by some form of out-of-band monitoring. Of course, many ISPs charge based on traffic throughput so it may not be in their best interests to impose such limitations. Maybe if an ISP ever does get prosecuted for allowing spoofed traffic to be generated we might see things change -----Original Message----- From: eric.princeat_private [mailto:eric.princeat_private] Sent: 18 September 2002 14:33 To: forensicsat_private Subject: The Art of Unspoofing I saw this article on a site yesterday, the entire thing can be found at http://www.innu.org/~sean/articles/unspoofing.txt. Perhaps it is of some intrest: The amount and frequency of denial of service attacks are escalating. It's becoming harder to track down the source who initiates them due to trace-evasion techniques. A raw interface to the networking stack allows anyone to send spoofed packets to a target host, eliminating the ability of its administrator to determine the origin of the attack. In today's world of e-commerce and globalization, the attacks and the inability to determine their source can be devastating. It gives small companies a bad name, and destroys the good reputations of larger companies. The ability to track down the source that uses spoofing techniques will certainly increase the chance to catch those attacking, and will force people to think of more intricate ways to attack servers on the net. This paper describes a few ways to track down these types of attacks up to the last link in the chain (the attacker himself), or at least his ISP. Eric Prince ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 23:21:49 PDT