On Wed, Feb 09, 2000 at 10:58:00AM -0500, Charles Sprickman wrote:
So the attacker need only send a few packets to each compromised host to cause extreme amounts of damage.
How would you track down the attacker? Sure, you could slowly find the compromised hosts and block them. You could even then look for where the icmp "control" message that starts the thing comes from, but if it's a one-way control channel, the source the attacker sends the control packet from could easily be forged and you could easily miss the one magic 'ping' that starts the thing off...
The idea of such a tool is scary, and from what I've read about TFN and friends, it seems that they could be modified to work as outlined above. The worst thing about any effective DoS is, in my mind, the lack of an identifiable "attacker".
They do work as above, with encrypted control messages. If you look at some of the code (and then manage to stop laughing) you will find some interesting ways to counteract, trace to the control nodes, and in some cases even immediately kill the daemon on every attacking node. Keep in mind that the people writing these things are doing it with often very little clue, experience, or thought. Most are blindly stabbing at things they do not understand trying to tweak things and test them out to see if it makes their victim "die any faster", ripping mismatched code from various places (like blowfish code from eggdrop), and creating what will quite possibly be one of the quickest ways to spend a long long long LONG time in jail when they get caught and lawyers and accountants start adding up the "cost" of their distributed fun and games... -- Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA