Richard Ginski wrote Thursday, June 19, 2003 11:56 AM > Some additional info. The mention of "Day 0" might be of concern. > > http://www.eweek.com/article2/0,3959,1130765,00.asp This article begs some questions: Where is "Day 0" coded into the packets? If it is there, it is interesting as a clue to meaning of the rest of the packets. As ominous as it sounds, I don't read too much meaning into the phrase itself - it could be just empty bluster on the part of the author. If it is for real, we're already past Day 30 anyway. Is there concensus that all sources are spoofed? For me the majority of the probes come from a single spoofed address unique (or nearly unique) to each target. But each target also gets hits from addresses with valid rDNS and live routes. These source addresses are hitting multiple targets and don't look spoofed to me. Of course the packet crafting makes it difficult to judge this for certain. Can't a few ISPs put a trace on the valid addresses that hit multiple sites, to determine whether the traffic is being routed along a path consistent with the apparent source address? I'm sure it is next to impossible to get a full trace to the source, with the multiple carriers and privacy policies and national laws along the way. Maybe this has already been done and it has been proven that ALL sources are forged, but that does not look likely based on my own limited captures. ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 20:05:19 PDT