-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, July 16, 2001 3:01 PM, Ron Russell wrote: [...] > And the activity could have been prevented by proper use of > ACLs, This is not an easy task. Because UDP is stateless, spoofing is fairly trivial. Particularly for the snmp set approach you mention - -- the format is $SNMPSET $TARGET $COMMUNITY .1.3.6.1.4.1.9.2.1.55.$MYIP s $CONFIG where $MYIP is the IP address of the tftp server. Consequently, one can spoof the snmp set as coming from that trusted host -- the ACL has to reach into the data portion of the packet to prevent the tftp occurring. Its not clear to me where the original penetration test was coming from, but if it was from a portion of the network where detecting spoofed addresses is not easy, then you have few options. > and the > proper configuration of SNMP (not using easily guessable > strings). I'm not sure this is especially helpful; SNMP is sent in the clear, of course, so the strings can be observed in transit, the game is up. Also, dictionary attacks are straightforward, since logging of snmp traffic seems to be rarely done. [...] - --woody -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO1N9xaWr4+fi694gEQL8gwCgg5Q7huPhA+yCUuwFjAkTHcxJ/fAAoKVb RweCZ7evjZ29a+RgvtPB2m1r =cqIf -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:26:49 PDT