There seems to be a "tool" about, which is somehow able to detect valid rfc1918 addresses behind a NATed firewall and is spoofing from addresses using random (usually non-existant) addresses from the class C on the internet side of that firewall. It isn't doing them any good as the packets are being dumped before they get to the 'visible' class C (as I am making sure that packets from that class C emanate only from the interface attached to that class C). However, I am interested to know: a) how the attackers are able to "guess" correct (ie existing) rfc1918 addresses as, AFAIK, these are not being leaked thru the firewall. b) how these packets are getting to me in the first place as they don't seem to be source routed. c) which "tool" is doing this anyway. Regards Dirk Koopman -- Please Note: Some Quantum Physics Theories Suggest That When the Consumer Is Not Directly Observing This Product, It May Cease to Exist or Will Exist Only in a Vague and Undetermined State. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 16:24:56 PDT