Re: Attacking every host in the path?

From: Gamble (a629wat_private)
Date: Wed Jan 09 2002 - 10:20:13 PST

  • Next message: Russell Fulton: "Re: Large ICMP Packets with strange payload"

    > Mike,
    > 	It is very possible that the attacker has run traceroute to a host
    > on your network, attacking your routers in its path, and your upstream
    > router, including the border router. There isn't much of other way to
    > figure out your network without using a traceroute. You can block
    > traceroute comming in from the Internet on your border router. In such
    > case, the border router will stop traceroutes from going into your network
    > with !X or !A icmp messages (Icmp protocol-prohibited, etc). The only
    > information the attacker will have after that is basically the IP of your
    > border router and the destination host he originally attacked. Or if you
    > disable icmp type time-exceeded altogether on the border router, the only
    > IP that will show up is the destination host in traceroute.
    > 
    > That may be the one way attacker might have used. The other way is,
    > attacker may have looked up yoru IP address in ARIN whois, and attacked
    > the whole IP block that you might own.
    > 
    > Hope this helps
    > 
    > --haesu
    > 
    
    
    Also, zone transfers can provide a list of machines within a domain 
    (host -l xyz.com).  Another route the attacker might have taken to get 
    a list of machines from the network in question, is to abuse the SNMP
    setup which might be in place.  
    
    Personally I think that it is most likly that the attacker did a zone
    transfer, or as mentioned above, got the information from public databases
    such as RIPE, ARIN, APNIC, etc.
    
    -- Jamie
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:13:18 PST