[Dshield] Hiding IP's

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Mon Aug 22 08:12:36 GMT 2005


On Sun, 21 Aug 2005 23:58:59 PDT, Brian Dessent said:

> In the context of hiding ones presence on the net for general use
> patterns, it still doesn't really chance the picture since
> 
> - the spoofer gets a unidirectional write-only connection since he does
> not receive any response packets.

True.  I was addressing the specific comment that "anybody saying spoofing is
easy doesn't have clue" - which is dangerously misleading.  For the Windows
example, what *appears* to be a 600K packet SYN flood of the server from 12
sources will yield enough information to have about a 79% chance of success of
one of the 12 sources creating a spoofed connection.

And it's even possible to fly "under the radar" and not look like a SYN flood,
as the requirement is that you be able to make about 50K probes and launch the
attack before the ISN random generator is reseeded, which for many systems
means "before the system rebooots".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050822/ffc5fb4f/attachment.bin


More information about the list mailing list