Dirk, I'm not aware of such a tool, but there has been at least one bug in IIS that allowed someone to obtain the actual address used by a server, so there may be other ways to obtain this information not generally known. However, if the packets have a destination address in the RFC1918 space, I think you can conclude that they are in fact originating from the segment on the outside of your firewall. Unless something is seriously fubar'd on your router _and_ your upstream ISP's router, there's no way short of source routing to have packets with destination addresses in those ranges get to your network from the Internet. I would suspect either a misconfiguration of something on the outside of your firewall or a compromise of something on the outside of your firewall. Probably time to do some investigating of whatever devices you have on the outside. I'd also start looking at the source MAC of the packets and see what ports on your switch are seeing that source MAC. HTH, Kent -----Original Message----- From: Dirk Koopman [mailto:djkat_private] Sent: Wednesday, June 26, 2002 8:49 AM To: Incidents Mailing List Subject: spoofed packets to RFC 1918 addresses There seems to be a "tool" about, which is somehow able to detect valid rfc1918 addresses behind a NATed firewall and is spoofing from addresses using random (usually non-existant) addresses from the class C on the internet side of that firewall. It isn't doing them any good as the packets are being dumped before they get to the 'visible' class C (as I am making sure that packets from that class C emanate only from the interface attached to that class C). However, I am interested to know: a) how the attackers are able to "guess" correct (ie existing) rfc1918 addresses as, AFAIK, these are not being leaked thru the firewall. b) how these packets are getting to me in the first place as they don't seem to be source routed. c) which "tool" is doing this anyway. Regards Dirk Koopman -- Please Note: Some Quantum Physics Theories Suggest That When the Consumer Is Not Directly Observing This Product, It May Cease to Exist or Will Exist Only in a Vague and Undetermined State. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 09:58:12 PDT