[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    Re: DRDoS
From:       "Patrick Nolan" <pnolan01 () nycap ! rr ! com>
Date:       2002-03-28 18:20:42
[Download RAW message or body]

Hi Tom,

The original post Gibson did a while back, which had a copy of his chat with a \
"zombie master" who knew the kid that hosed grc off-line, discussed what was then \
called a DDos on grc.com. It was a nice write up back then. That's what I thought I \
was providing a link for ......

It's seems to have now become his "reflected" DoS and I wish I never mentioned it \
recently, for all the reasons you so rightly enumerate.

Pat

----- Original Message ----- 
From: "Tom Liston" <tliston@premmag.com>
To: <intrusions@incidents.org>
Sent: Thursday, March 28, 2002 1:01 PM
Subject: DRDoS


> Aw heck... I haven't said anything controversial for a while...
> 
> Is it just me, or does anyone else think this DRDoS thing is a 
> bunch of hooey?
> 
> I've looked over this "attack" a number of times and I just don't get 
> it...
> 
> http://grc.com/dos/drdos.htm
> 
> WHY BOTHER DOING THIS?  The "bang for your buck" in this is 
> all wrong... The packets that you generate in this manner aren't 
> right for the type of attack you're trying to achieve.  When you're 
> doing a DoS, you want *BIG* packets, or at least a steady stream 
> of packets of moderate size, and yet this attack will generate only 
> small RST or SYN/ACKs.  The "amplification" effect to this is 
> minimal (nonexistent if the target responds to an inbound with a 
> RST), and it requires that you spoof your source IP.  Well, if I can 
> spoof my source IP, WHY NOT SEND THE PACKETS DIRECTLY? 
> 
> Gibson's "diffusion" argument just doesn't hold water... hasn't he 
> ever heard of a source routed packet? (Besides, the true choke 
> points in his "diffuse" path are still there... source, destination...)
> 
> I've heard too many references to this "attack" on this list, and for 
> the life of me, I just don't see this as being valid.  Can some of the 
> rest of you please read through the description and see if you think 
> that this actually is "real" or if Gibson is off chasing ghosts...
> 
> -TL
> 
> Tom Liston, GSEC
> Network Administrator
> Prem Magnetics, Inc.
> tliston@premmag.com
> tliston@hackbusters.net
> 


[prev in list] [next in list] [prev in thread] [next in thread]