> Mike, > It is very possible that the attacker has run traceroute to a host > on your network, attacking your routers in its path, and your upstream > router, including the border router. There isn't much of other way to > figure out your network without using a traceroute. You can block > traceroute comming in from the Internet on your border router. In such > case, the border router will stop traceroutes from going into your network > with !X or !A icmp messages (Icmp protocol-prohibited, etc). The only > information the attacker will have after that is basically the IP of your > border router and the destination host he originally attacked. Or if you > disable icmp type time-exceeded altogether on the border router, the only > IP that will show up is the destination host in traceroute. > > That may be the one way attacker might have used. The other way is, > attacker may have looked up yoru IP address in ARIN whois, and attacked > the whole IP block that you might own. > > Hope this helps > > --haesu > Also, zone transfers can provide a list of machines within a domain (host -l xyz.com). Another route the attacker might have taken to get a list of machines from the network in question, is to abuse the SNMP setup which might be in place. Personally I think that it is most likly that the attacker did a zone transfer, or as mentioned above, got the information from public databases such as RIPE, ARIN, APNIC, etc. -- Jamie ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:13:18 PST