Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default




Le 21/09/2018 à 20:32, Reco a écrit :

Evil person makes a TCP connection to unprotected host, but forges
source IP. Host sends TCP RST to this forged IP, host acting as a
'reflector' to an attack. And being a bad netizen at the same time.

Evil person takes as many of such hosts as possible - and there goes
your old-fashioned RST DDOS.

What is the attacker's benefit over just sending packets directly to the target with forged source addresses ? Reflection attacks give a benefit for the attacker when the reflection provides some kind of amplification. One example is broadcast ping in a LAN : one single request packet triggers many reply packets. Another example is DNS amplification : a small DNS request triggers a much bigger DNS reply. But TCP RST attack does not provide any amplification, as one SYN packet triggers one RST packet of similar length.