> I build a BIND server (10.10.10.1/24) with a forward AND > reverse DNS for > windowsupdate.com as a fictitious address 10.10.20.10/24. I > then put an > infected client (10.10.10.5/24) on the wire, and set the date ahead to > the 20th (just for kicks). This simulate a 'real' > environment, since we > typically won't be on the same network segment as windowsupdate.com, > right? *grin* > > Can anyone else independantly validate these results? I'm > particularly > interested in the first result, of the high-ARP issue... This suggests that in addition to spoofing an address within the infected machine's /16, it ALSO assumes a /16 for purposes of routing the outbound attacks. David Gillett
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 17:19:49 PDT