Subject: Re: Distributed denial of service attacks.
To: Steven M. Bellovin <smb@research.att.com>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 09/07/2001 23:20:32
>Have you tried traceroute and/or ping?  If you can build or find a 
>tool to emit a hand-built TCP packet on one of these connections, you 
>could learn a lot.  Send a 0-length TCP packet with the immediately-previous
>sequence number, and see what you get back.  If you get back RST, the 
>remote host knows nothing of the connection, and that's suspicious.
>If you get back an ACK, the connection exists but is flow-controlled -- 
>look at the window size in that ACK.

this is a good suggestion, but leads me to ask: how does one typically
"fling an arbitrarily formed packet" at host x?  i've got a few tools
in my toolbox that i've written myself (one with a queer dd-like
syntax that i liked for some reason that day), but is there a generic
tool that works well?

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."