[unisog] Odd apparant port scan ...
Peter Van Epp
vanepp at sfu.ca
Thu Apr 4 15:57:21 GMT 2002
> Peter - Might this be an example of what Steve Gibson (and I'll agree in
> advance that one does have to liberally take quite a bit of salt
> and anti-hype medicine to wash Steve Gibson down with sometimes)
> calls the "Next Generation DoS", also "Distributed Reflection
> Denial of Service" (DRDoS) attack:
> The idea is a low-impact, flying under the rader --err, um. IDS--
> broad spread of SYN packets to a large number of servers (e.g.
> routers running BGP or web servers on port 80) such that the
> 'SYN/ACK' packets back were all directed and concentrated on a
> hapless victim.
That is a scary thought (and one I hadn't considered). While I agree
Mr Gibson does tend to overhype things, there tends to be at least some fact
(as in this case) underlying the hype so we should consider what he says
and not throw the baby out with the bath water :-)
I was thinking this would fool the less paranoid firewalls (its an
established TCP connection, it must be OK to let it through) and hadn't even
though of a DDOS attack against someone else. The only good parts are my
antispoof filters make sure the packets are signed as originating here for
complaints and argus will let me see what we have been doing in the event of
a complaint but I expect that combination is rare enough that most sites being
DDOSed won't complain to any of the source sites.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog