-- Jason Slagle - CCNP - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows On Thu, 29 Mar 2001, David Schwartz wrote:
They could do almost exactly the same amount of damage with an unspoofed UDP flood and it would still take a human action to stop it. The attack can still hop from victim to victim until the problem is stopped at its source. The problem still won't get stopped at its source until someone with the ability to stop it is summoned and alterted to the problem.
Odds are, an attacker will used spoofed packets if he can. potentially spoofed packets will trigger an investigation on my network. An unspoofed UDP flood probably won't (especially if it hops from victim to victim).
So if the attacker uses spoofed packets, he may get cut off at the source (and the problem actually solved) sooner. On the other hand, unspoofed packets will probably trigger a call to the administration of the source network faster. Of course, you don't know that attack is unspoofed, so you really can't be sure what the source is.
I can argue the converse of this. Unless the attacker is spoofing a static source, I can usually spot a potentially unspoofed attack. Even if he IS using a static spoofed source, it only costs me a little bit to call and see if the packets are indeed coming from the machine in question. If I'm being attacked hard, chances are, I will notice it before you examine your logs, unless like I said you have someone monitoring then 24 hours a day. I will then try to wake up a live body on your end to investigate. If the packets are spoofed, I have to wait for you to examine your logs to potentially stop it, or attempt to get an upstream to do a traceback, which is a long drawn out process. Personally, I prefer to leave the ability to determine the likely source of a non random attack in my hands, not waiting for you to view your logs. And nothing says I CAN'T log if I deny spoofed packets, therefor catching them when they try spoofed packets before realizing they won't work. Jason