Re: Blitzkrieg Server -- For Real?!

From: tqbfat_private
Date: Mon May 11 1998 - 22:21:53 PDT

Next message: Rudolf Schreiner: "Re: ODBC"

Previous message: Vin McLellan: "RE: Blitzkrieg Server -- For Real?!"
Maybe in reply to: arager@McGraw-Hill.com: "Blitzkrieg Server -- For Real?!"
Next in thread: David Kennedy CISSP: "Re: Blitzkrieg Server -- For Real?!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> source IP addresses. Unless _every_ router from the attacker keeps a 
> complete traffic log, _including_ the port/line from which a particular 
> packet was received, it is not possible to trace such a spoof back after 
> the fact. (It is extremely hard to do _while_ it is happening; compare to 

This is not (specifically, in point of technical fact) true. It is
possible for a cooperating path of routers to trace back IP traffic
without logging all of it; I would not expect reasonably reliable (in
terms of ratio of successful traces to failures) to be difficult to
implement if the world agreed on a protocol to do so.

Protocols that allow routers to cooperatively trace back IP packets are
already in development. In order to implement something like this, all you
would need would be some appropriately sized cache of (address, interface)
tuples. Within some window of time, it would be possible to query the
router for the physical interface (or, more likely, the next-hop back)
associated with any given packet received from it.

There are already Perl scripts that (very crudely) force chains of routers
to "cooperate" using their enable passwords and debugging interfaces.

I'm just posting this to clear up any misunderstandings that anyone might
have received about how feasable it is to trace IP traffic; I don't think
we know enough about the subject to say conclusively whether it's
feasable. However, the assumption that persistant logging would be
required to do it probably isn't true.

Of course, this has no bearing whatsoever on that idiotic press
announcement about the "Blitzkrieg" server. No real commercial
organizations with brains enough to retain an attorney would be dumb
enough to design and produce software that launched counterattacks.

-----------------------------------------------------------------------------
Thomas H. Ptacek			     		Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf	 "If you're so special, why aren't you dead?"

Next message: Rudolf Schreiner: "Re: ODBC"
Previous message: Vin McLellan: "RE: Blitzkrieg Server -- For Real?!"
Maybe in reply to: arager@McGraw-Hill.com: "Blitzkrieg Server -- For Real?!"
Next in thread: David Kennedy CISSP: "Re: Blitzkrieg Server -- For Real?!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:05 PDT