Euan said: > This is just simplistic, ill conceived rubbish. Don't tell us what you really think... > There is absolutely no way to guarantee that you are "tracking down" > the correct IP or the correct person. You're right. I should have put that in the disclaimer, but we thought that the average person would understand that from the start. > Is it safe to assume an attacker is going to use the generic public > smurf.c tool etc, is it safe to assume the attacker is going to use > traceroute or ping to test if the victim host is alive? Is it safe to > assume the attacker wont use blind spoofed IP ID techniques or > some other method to test if the victim host is alive? No. Is it safe to assume that every attacker has thought out the attack as much as you just have? I'm not sure what type of DoS attacks you've seen impact your network in your days... but from my experience, I can say that at least one of those assumptions has been present in 95% of the DoS attacks I have encountered, but that's just lil ol' me. > Whats to stop an attacker spoofing dns lookups and pings from > another host in order to incriminate it? Would your average ./attacker have thought to spoof the dns querys, or randomize the ttl before we wrote this paper? Nope, didn't think so... kthx. > What it comes down to is - it is easy for a semi-intelligent attacker > to cause a denial of service attack that is completely untraceable from > the target side, grasping at straws like this wont do much good atall > except waste a lot of your time. What it comes down to is - we realized that when we published this article that as soon as the information was known, that most if not all the techniques would be obsolete. Knowing this put me in a sticky situation about even disclosing it in the first place. In the end I decided to release it anyways, and I knew it's release would get a few well thought out posts like yours. Sean Trifero Security Technologies
