> source IP addresses. Unless _every_ router from the attacker keeps a > complete traffic log, _including_ the port/line from which a particular > packet was received, it is not possible to trace such a spoof back after > the fact. (It is extremely hard to do _while_ it is happening; compare to This is not (specifically, in point of technical fact) true. It is possible for a cooperating path of routers to trace back IP traffic without logging all of it; I would not expect reasonably reliable (in terms of ratio of successful traces to failures) to be difficult to implement if the world agreed on a protocol to do so. Protocols that allow routers to cooperatively trace back IP packets are already in development. In order to implement something like this, all you would need would be some appropriately sized cache of (address, interface) tuples. Within some window of time, it would be possible to query the router for the physical interface (or, more likely, the next-hop back) associated with any given packet received from it. There are already Perl scripts that (very crudely) force chains of routers to "cooperate" using their enable passwords and debugging interfaces. I'm just posting this to clear up any misunderstandings that anyone might have received about how feasable it is to trace IP traffic; I don't think we know enough about the subject to say conclusively whether it's feasable. However, the assumption that persistant logging would be required to do it probably isn't true. Of course, this has no bearing whatsoever on that idiotic press announcement about the "Blitzkrieg" server. No real commercial organizations with brains enough to retain an attorney would be dumb enough to design and produce software that launched counterattacks. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "If you're so special, why aren't you dead?"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:05 PDT