main page




Rants & Raves Archives

« May 2002 | Main | July 2002 »

June 08, 2002 Gibson and DoS Attacks, Ch 2

Last June, I talked about Steve Gibson's article about the distributed denial of service attack against his site. It's a excellent expalnation of how these attacks occur, resulting from his investigations into an attack on his own web site. At the end of that article, he warned about the implications of raw sockets in Windows XP, which would allow script kiddies to spoof IP addresses, and lauch attacks that would be more difficult to deal with than the DDoS attacks that he had dealt with.

It seems that his prophecy has come true. He now has a new article about his investigation into a new type of attack against his site that occurred last January. It is called a distributed reflected denial of service attack, or DRDoS. It works by sending an altered SYN packet with the IP address of the attack target, instead of the IP address of the sender. The server receiving the altered packet would respond by sending a response packet (SYN/ACK) to the IP address in the SYN packet. This way, the attacking computer stays anonymous, and the unwitting server keeps sending packets to the target computer.

At the end of this article, Gibson repeats his condemnation of Microsoft's decision to include the raw sockets in Windows XP. Before this, only computers running Windows 2000 or Linux would be able launch this kind of attack. But including this capability in a consumer level OS meant that the ability to launch this kind is now in the hands of all of the teenage hackers who like to do this kind of attack.

Gibson's article on DRDoS

Posted by Christy at 05:54 PM