Re: Attacking every host in the path?

From: Bugtraq Mailing Lists (bugtraqat_private)
Date: Tue Jan 08 2002 - 22:01:41 PST

Next message: Ofir Arkin: "RE: how often do 0-days REALLY happen?"

Previous message: Gamble: "Re: how often do 0-days REALLY happen?"
In reply to: Mike Lewinski: "Attacking every host in the path?"
Next in thread: Gamble: "Re: Attacking every host in the path?"
Reply: Gamble: "Re: Attacking every host in the path?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike,
	It is very possible that the attacker has run traceroute to a host
on your network, attacking your routers in its path, and your upstream
router, including the border router. There isn't much of other way to
figure out your network without using a traceroute. You can block
traceroute comming in from the Internet on your border router. In such
case, the border router will stop traceroutes from going into your network
with !X or !A icmp messages (Icmp protocol-prohibited, etc). The only
information the attacker will have after that is basically the IP of your
border router and the destination host he originally attacked. Or if you
disable icmp type time-exceeded altogether on the border router, the only
IP that will show up is the destination host in traceroute.

That may be the one way attacker might have used. The other way is,
attacker may have looked up yoru IP address in ARIN whois, and attacked
the whole IP block that you might own.

Hope this helps

--haesu

On Tue, 8 Jan 2002, Mike Lewinski wrote:

> Are there any known tools for generating attacks against every host in a
> given path?
>
> We have a client who has been attacked directly by IP address several times.
> Working with our peers we have null routed the target when the attacks were
> too large or had too many forged source addresses to otherwise defend.
>
> Today the attackers began targeting our infrastructure, and it was noticed
> when the border router reported "remote RSHELL attempts" against it to
> syslog. I suspect that this was due to random destination ports in the
> attack. Most of the source hosts were obviously bogus, but we haven't ruled
> out the attack as cover for intrusion attempts. But there were clearly
> packet floods against upstream routers several hops from the destination,
> and our peer noticed activity that appeared to be aimed at them as well.
>
> I'm aware that this could be a slightly clever individual who understands
> traceroute, but wonder if we're not seeing some new script kiddie tool.
>
> Mike
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ofir Arkin: "RE: how often do 0-days REALLY happen?"
Previous message: Gamble: "Re: how often do 0-days REALLY happen?"
In reply to: Mike Lewinski: "Attacking every host in the path?"
Next in thread: Gamble: "Re: Attacking every host in the path?"
Reply: Gamble: "Re: Attacking every host in the path?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:22:49 PST