(Again, sorry for the delay responding.) Paul A Vixie writes:
Or better yet, the ICMP TRACEROUTE message, which would go hop by hop and on every hop generates a response message. Augmented with PROXY TRACEROUTE which will cause the destination box to send out the ICMP TRACEROUTE.
This would be bad. Remembering back to the dim prehistory of time, when [...]
I'm very surprised that noone has mentioned what seems to me to be the *really* serious drawback to this scheme. Remember how much grief you had the last time someone did a news sendsys forged to your name? (If it's never happened to you, be glad...) This sort of attack got so bad that the default setup these days is to ignore sendsys. The principle's the same here. What's to stop me from forging TRACEROUTEs which cause many response packets to be sent to my victim for each single packet I send out? I'd have an easy way to multiply my effective bandwidth for simple DoS bandwidth attacks. Even an idiot with a 28.8 modem could wind up doing some serious damage. /a --- Alexis Rosen Owner/Sysadmin, PANIX Public Access Unix & Internet, NYC. alexis@panix.com