Re: Deny IP spoof from 255.255.255.255

From: Crist Clark (crist.clarkat_private)
Date: Fri Jul 06 2001 - 13:49:06 PDT

  • Next message: Gossi The Dog: "Advanced IIS unicode scanning?"

    Vitaly Osipov wrote:
    > 
    > this is a sample of your packet:
    > 
    > #(1 - 29543) [2001-06-19 01:34:54] [arachNIDS/203]  BACKDOOR Q access
    > IPv4: 255.255.255.255 -> x.x.x.x
    >       hlen=5 TOS=0 dlen=43 ID=0 flags=0 offset=0 TTL=13 chksum=45614
    > TCP:  port=31337 -> dport: 515  flags=***A*R** seq=0
    >       ack=0 off=5 res=0 win=0 urp=0 chksum=25942
    > Payload:  length = 3
    > 
    > 000 : 63 6B 6F                                          cko
    
    Yeah, those are the RST ones. They crack me up even more than the
    more common SYN ones. In order for the RST ones to do anything, 
    the victim must not only respond to a packet with the broadcast
    address as the source, but it would have to respond to a RST which
    any sane TCP implementation will never, ever, ever do.
    
    I see a lot more of the SYN ones. They look like,
    
      17:22:40.938837 255.255.255.255.31337 > AAA.BBB.CC4.192.515: S 100:100(0) win 512 (ttl 242, id 62128)
      03:16:51.069740 255.255.255.255.31337 > AAA.BBB.CC5.161.515: S 100:100(0) win 512 (ttl 242, id 62128)
    
    Note the TCP sequence number and IP ID. They are always the same. (These 
    two just happen to have the same TTL, but I get a distribution).
    -- 
    Crist J. Clark                                Network Security Engineer
    crist.clarkat_private                    Globalstar, L.P.
    (408) 933-4387                                FAX: (408) 933-4926
    
    The information contained in this e-mail message is confidential,
    intended only for the use of the individual or entity named above.  If
    the reader of this e-mail is not the intended recipient, or the employee
    or agent responsible to deliver it to the intended recipient, you are
    hereby notified that any review, dissemination, distribution or copying
    of this communication is strictly prohibited.  If you have received this
    e-mail in error, please contact postmasterat_private
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat Jul 07 2001 - 10:18:44 PDT