Dirk Koopman wrote: > a) how the attackers are able to "guess" correct (ie existing) rfc1918 > addresses as, AFAIK, these are not being leaked thru the firewall. There are at least two possibilies that spring to mind : - if you are using a web proxy for your protected network(s), the proxy may be adding an X-Forwarded-For field containing the rfc1918 address. Other protocols might provide the same kind of information as well. - in some cases, the firewall may leak information about the protected network if there is some DNAT set up (and in particular, the recent advisory named "Linux Netfilter NAT/ICMP code information leak" by Philippe Biondi). > b) how these packets are getting to me in the first place as they don't > seem to be source routed. That's the real catch. I think a number ISPs don't filter rfc1918 addresses within their domains, letting BGP4 make sure they don't get routed outside instead. So, theoretically, a spoofed packet could make its way to a target not too far away (eg, within the same AS). I don't know of any automated tools who would do that, but building one using antirez's hping, for instance, shouldn't be too hard. HTH, Daniel. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 10:05:49 PDT