This is just simplistic, ill conceived rubbish. There is absolutely no way to guarantee that you are "tracking down" the correct IP or the correct person. How can you possibly rely on the TTL to distinguish the address of the "attacker" among thousands of DNS requests? The TTL can be forged on spoofed packets - and they may come from a completely different source than the attacker itself... Is it safe to assume an attacker is going to use the generic public smurf.c tool etc, is it safe to assume the attacker is going to use traceroute or ping to test if the victim host is alive? Is it safe to assume the attacker wont use blind spoofed IP ID techniques or some other method to test if the victim host is alive? No. At the beginning of your post you mention "the raw interface to the networking.." - yet you simply ignore or do not realise that the flexibility and multitude of ways to use and abuse tcp/ip makes this whole "art of unspoofing" nothing but presumptious rubbish that will waste peoples time and help them catch none but the most ignorant and useless of attackers. (People this stupid are unlikely to be a danger to your network in the first place). Whats to stop an attacker spoofing dns lookups and pings from another host in order to incriminate it? What it comes down to is - it is easy for a semi-intelligent attacker to cause a denial of service attack that is completely untraceable from the target side, grasping at straws like this wont do much good atall except waste a lot of your time. Euan eric.prince@cox.net wrote: > I found this on a site today, thought it might be of some intrest: > > The Art of Unspoofing >
