You could use some server that has something like syncookies or some other kind of method to just establish a connection once the other side has been authenticated as real (Steve Gibson has a page about that exactly (http://www.grc.com/r&d/nomoredos.htm)).
Posted on 2004-02-10 19:22:08 by GogetaSSJ4
Well, that won't sadly help much either, if just the DDoS zombies are intructed to, for example, download webpages instead of performing simple syn-flooding... DDos attacks with zombies are really hard to defend against. :( The most efficient way is probably to send the police after the guys running the attack. Can't that guy be traced from his earlier forum posts? If there is a good reason to believe it's him, the police might actually investigate it, and they should be able to pull the logs off the ISP if they want to (well, I guess that depends on which county he's in, but anyway).
Posted on 2004-02-10 20:35:27 by dELTA
There is no computer crime in Russia
Posted on 2004-02-11 20:16:12 by comrade
Or at least no laws against it I suppose. :grin:
Posted on 2004-02-11 20:24:11 by dELTA
time for vigilante justice. :grin:
Posted on 2004-02-11 20:47:11 by arkane
As I understand any one can perform a DOS attack on any site and he will just get away with that? No way to trace him? How can it be possible? I'm not a network guru.
Posted on 2004-02-13 09:43:04 by SolidCode
It is pretty "easy"

The attacker will have a list with computers that he/she did compromised in the past and has an remote exploit installed on them -- those are called "zombies" above -- he/she will the instruct the zombies to do the attack against the site .

Attacks will be actually done from those zombies, the attacker can be in a bar dancing with a nice gorgeouse blonde/man or having more fun when the attack actually happens. How to "trace" him/she? can you read peoples minds in bars?

Besides even IF he does an attack from its own PC with a SYNC attack he will create the packets "manually" with some tools and insert into them fake IPs as source of the attack. Of course iF the site under attack has other means of tracing (CIA/NSA/Corporatins/etc) they can start tracing it down node by node until they might find its location... but unless this is done at once and by super powerfull organizations... there is no other way to get him...

IF he detects the couter trace he can easyly unplug and exit the room.

Of course he will never use the same physical location as the PC dooing the attack in the first place, a sheell account or a remote controller proxy that is 300miles away and has a small web cam also ;) will most likely do the trick.

Even if agents will bust in.... all they can get is another people's computer and a screen saver with a big smile on it :)

But usually not even the dumb attackers that try this from their PC at home can NOT be found because nobody has the resources and the time and the will to do this

And once the logs of the first router/node are exhausted nobody can prove anything anymore anyway

And TCP/IP stack design is so damn stupid and so wideused that it is a piece of cake. protocols have not been revised improved from 1950 :D

For example SYN queues are 6 (six) entrys large :P even a diap-up on 9.600bbps can easyly fill that up :grin:
there is no real checking of the IP in packets and the sequence number generator in the handshaking is a joke...

Some of this issues are somehow resolved by what was presented on grc.com (SYN-cookies) and firewalls but the truth is that TCP/IP is a dman overused bad/stupid design

If i would have used it in my own game and /or organization then , well the hell with it,...but is used all over the world ...
Posted on 2004-02-13 11:30:10 by BogdanOntanu
Bogdan, AFAIK, this attack is not SYNC attack, but DDos. and even after the team change domain name (and maybe isp) and attack still continue.
I wonder, is it possible such large dimentional operation to be driven by one only man?

Regards
Posted on 2004-02-16 19:06:16 by JohnFound