[Intrusions] LOGS: GIAC GCIA Version 3.5 Practical Detect MarkStingley

Mark Stingley cw3sting at yahoo.com
Mon Sep 20 21:10:03 GMT 2004 

--- "Smith, Donald" <Donald.Smith at qwest.com> wrote:

> First catching the sonicwall reference was great. 
> You have done a good job. I have added a few
> comments/questions.

Thanks much.

> > Going from the alert log to closer examination
> with
> > tcpdump, here is an excerpt of the traffic:
> > 
> > tcpdump -s 1514 -nnvvr 2002.10.14 src host
> > 255.255.255.255
> 
> You might want to include -A to show the data.

Point taken.

> 
> Why would someone spoof 255.255.255.255?

My guess is a configuration feature for "stealth". But
since Sonicwall hasn't answered my email yet, that
remains only a probability.

> LPD exploit attacks would be tcp therefore its 
> unlikely someone would spoof the source addr.
> So the rest of this explaination doesn't track.

Thanks for pointing out my error in not looking at the
workings of the LPRng/lpd exploit while I wrote.  The
exploit does require a 3-way handshake and a valid
connection.

I guess the best we can do is surmise that a host
behind a Sonicwall either scanned the 170.129.xxx.xxx
subnet, or was actually trying to open port 515
connections on the target hosts.

Sound good?

> The use of 31337 and 515 might imply something else 
> since those are both WELL KNOWN bad ports.

Also a valid point.

> I have a theory think about ips (esp ones that DO 
> resets), and fightback/strikeback/hackback.

I'm a firm believer in simply dropping hostile
packets.  

> What would it take to get two ips (or other 
> strikeback systems) to attack each other?

I would be willing to bet it can be done quite easily
due to all of the non-RFC compliant systems around
today.

> > Answer:  D.

> You may loose points for an all of the above type 
> answer. Check the notes on this practical it has 
> been a while since I read them but at one
> time it stated something like 1 correct answer.

Thanks.  I will definitely verify that one.

I very much appreciate your feedback Donald.

=====


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Intrusions mailing list