RE: Odd scans and stuff bouncing off firewalls

From: Greg A. Woods (woodsat_private)
Date: Tue Aug 13 2002 - 12:01:36 PDT

  • Next message: Jonathan Rickman: "RPC scans"

    [ On Tuesday, August 13, 2002 at 09:57:33 (-0700), Steve Vawter wrote: ]
    > Subject: RE: Odd scans and stuff bouncing off firewalls
    >
    > Another reason (other than using the numbers for cash) that I can see is 
    > that they might better help decipher where an attack that made it 
    > through the filters came from. If you only have the few packets that 
    > made it through to use to backtrack to an attacker, it may be harder to 
    > find them.
    > 
    > But, of course, without the right data filters, finding the pattern in 
    > the chaos is near impossible sometimes...
    
    The "normal chaos" is only part of the problem.  A well executed attack
    may very well re/miss-direct your response to exactly the wrong source,
    giving the real attacker even more time to disappear into the wires....
    
    Unless the suspected source happens to have logged the very same traffic
    (or the attacker is just asking to get caught) then it's still in this
    day and age impossible to use source addresses and other such indicators
    as any even remotely reliable means of idenifying the source of any real
    attack.
    
    -- 
    								Greg A. Woods
    
    +1 416 218-0098;            <g.a.woodsat_private>;           <woodsat_private>
    Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private>
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 12:59:22 PDT