Hiding IP addresses in trace data

From: John Kristoff (jtkat_private)
Date: Mon Oct 21 2002 - 07:55:12 PDT

Next message: Steven Lee: "Invalid IP address"

Previous message: H C: "Re: W2K Compromise - PipeCmdSrv"
In reply to: Wisniewski, Michael: "a different, stranger port 137 activity"
Next in thread: Jose Nazario: "Re: Hiding IP addresses in trace data"
Reply: Jose Nazario: "Re: Hiding IP addresses in trace data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Too often it seems that people are attempting to hide their IP address
by masking the obvious dotted decimal notated number in various trace
data. If you really care about not disclosing your IP address, be sure
to also mask the hex data in the traces you send to public lists like
this one.

...and hiding only two octets is not enough as long as the IP checksum
remains in the trace data.

John

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Steven Lee: "Invalid IP address"
Previous message: H C: "Re: W2K Compromise - PipeCmdSrv"
In reply to: Wisniewski, Michael: "a different, stranger port 137 activity"
Next in thread: Jose Nazario: "Re: Hiding IP addresses in trace data"
Reply: Jose Nazario: "Re: Hiding IP addresses in trace data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 15:51:30 PDT