[Dshield] routing 192.168...?

Daniel Cherton dcherton at aei.ca
Mon May 2 14:36:03 GMT 2005


Thanks for the info Jim.

Quite a few "noob" out there... over 40 attacks without address spoofing 
in the last 24 hours.
Same for the spoof address too.

Is there a way to trace back the source ? Can the MAC address also be 
change ?
If not, then sorting all the packets received could lead to the Internet 
address ?

I guess I don't need to be worried but, it is interesting !

We are not using msdos at work, all the systems are using NT4 or Linux 
linked to a
proprietary  OS. Clients are responsible for security.

Daniel

Jim McCullough wrote:

>This is very possible.  Several scripts were available at one point in
>time on multiple distribution sites across the internet in the
>1997-1999 time frame.  These scripts could combine multiple attacks
>such as teardrop, newtear, and ping of death with an option to supply
>extra parameters into the packet.  Also included was an option to
>include a spoof address into the packet sent.  Most of the script
>kiddies will try to spoof their source address ( if worth half their
>weight in salt ).  Only a truely "noob" kiddie would use their own ip
>address.  Is it still a concern?  For some embedded OS devices it is. 
>I know of several instances where MSDOS and OS2 are still in use for
>production machinery.  These systems dont have patches applied very
>often and are subject to remote attacks.  This is the main reason we
>still see signature for attacks that are out of major circulation
>being used.
>
>Jim McCullough
>
>On 5/2/05, Daniel Cherton <dcherton at aei.ca> wrote:
>  
>
>>Hi Mark,
>>
>>I am not absolutely sure but, since it is a home network and I am using
>>router/firewall and ZoneAlarm in every
>>computer, I think it is coming from outside. I check setup and logs from
>>ZoneAlarm and found nothing going out.
>>Can it still be possible ?
>>
>>Daniel
>>
>>Mark Owen wrote:
>>
>>    
>>
>>>>Ping of Death Detect src:192.168.1.10:2961 dst:my-internet-ip:42617 Packet Dropped
>>>>
>>>>
>>>>        
>>>>
>>>Are you sure it came from the untrust and not an internal network?
>>>
>>>--
>>>Mark Owen
>>>
>>>-------------- Sponsor Message ------------------------------------
>>>Join us at SANSFIRE 2005 in Atlanta!
>>>The Internet Storm Center Conference.
>>>Details: http://www.sans.org/sansfire2005
>>>
>>>_______________________________________________
>>>send all posts to list at lists.dshield.org
>>>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>>>
>>>
>>>
>>>
>>>
>>>      
>>>
>>--
>>No virus found in this outgoing message.
>>Checked by AVG Anti-Virus.
>>Version: 7.0.308 / Virus Database: 266.11.0 - Release Date: 4/29/2005
>>
>>-------------- Sponsor Message ------------------------------------
>>Join us at SANSFIRE 2005 in Atlanta!
>>The Internet Storm Center Conference.
>>Details: http://www.sans.org/sansfire2005
>>
>>_______________________________________________
>>send all posts to list at lists.dshield.org
>>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>>
>>    
>>
>
>-------------- Sponsor Message ------------------------------------
>Join us at SANSFIRE 2005 in Atlanta!
>The Internet Storm Center Conference.
>Details: http://www.sans.org/sansfire2005
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>
>
>  
>



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.1 - Release Date: 5/2/2005




More information about the list mailing list