Thought on disconnecting hacked computers

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm new to this group and hope I'm not in left field...

Looking at my firewall logs, it seems evident that there are many
attempts per hour to exploit vulnerabilities that are blocked by the

It is also pretty obvious what those attacks are (specific ports with
known vulnerabilities etc). The packets presumably originate in hacked
computers acting as zombies.

If  the routers first hop from the machines sending these packets where
"trained" to spot such probes (doesn't seem very hard to do) and
immediately blocked all traffic from the affected machines, it would
prevent other machines from being hacked. The same would work for a
DDOS attack: the best response is also distributed since each router
has only to deal with traffic from a few machines.

Anyone know if such a thing exists or is in the works? If not, is there
a problem with the concept?

Re: Thought on disconnecting hacked computers

Quoted text here. Click to load it

The problem is the likelihood for one man's attack signature match
being another man's legitimate traffic.    And then the process for
someone to say, hey my http request isn't working, etc etc.   Currency
of the attack signatures, and all that.

It would be great if ISP's were to implement such measures, but it
could also be a nightmare for users in the event of errant signatures
creeping in that represetnt legit traffic.  

hell, I have a hard enough time telling my cable modem provider's
level 1 goons that their DNS servers are down, for instance.  Imagine
if I had to explain "it appears my legitimate URL request of [blah] is
being swallowed by your router's attack filters."  Imagine how many
times they'd have me unplug and replug my cable modem's power?

Todd H. /

Re: Thought on disconnecting hacked computers

True, it would have to be done at the first hop router where a lot of
random probes from one machine is pretty suspicous. But it would be an
arms race sort of like fighting SPAM.

A related concern I thought of after I posted: it would give another
way to a denial of service. In the case of a probe someone wants the
packet back so the return address is probably real (a hacked machine),
but if one can forge addresses then one could pretend traffic was from
a given machine to get it disconnected.

I guess it isn't so simple :(

The first hop router seems to be key in DDOS. I know that all machines
using me as their portal to the Internet must have certain IP
addresses. I should be able to figure out if a packet has a faked
address. If I know what machine is sending the packet, can kick it off
the net, and there can't be any legitmate reason for sending a packet
with a spoofed address.

Re: Thought on disconnecting hacked computers

On 5 Dec 2005, in the Usenet newsgroup, in article

Quoted text here. Click to load it

See my response in the thread 'Attacker motivation'

Quoted text here. Click to load it

For TCP, address spoofing is a lot harder, but depending on the goal, not
totally impossible. On the other hand, a significant amount of UDP (windoze
messenger spam) seems to have false source addresses.  While hard to prove,
a log check over a week in early November showed three percent of such
messenger spam claimed to come from IP address ranges still reserved by
IANA, such as and

Quoted text here. Click to load it

Never is.

See RFC2827 and RFC3704 - although both deal with Ingress filtering
You also assume that the owner of that first hop router desires to
prevent spoofing. I suspect this may be open to question.

       Old guy

Site Timeline