[Dshield] routing 192.168...?

Stephane Grobety security at admin.fulgan.com
Tue May 3 15:22:16 GMT 2005


Hello Daniel,

I think you should really have a good look at these packets. I suspect
they are not what you think they are: I see no reason for an attacker
to stealth his IP but only "sometimes". And I also find it unlikely
that two different attackers decide to take you out at the same time
with such an outdated attack (i.e. very unlikely to succeed).

Good luck,
Stephane

Monday, May 2, 2005, 4:36:03 PM, you wrote:

DC> Thanks for the info Jim.

DC> Quite a few "noob" out there... over 40 attacks without address spoofing 
DC> in the last 24 hours.
DC> Same for the spoof address too.

DC> Is there a way to trace back the source ? Can the MAC address also be 
DC> change ?
DC> If not, then sorting all the packets received could lead to the Internet 
DC> address ?

DC> I guess I don't need to be worried but, it is interesting !

DC> We are not using msdos at work, all the systems are using NT4 or Linux 
DC> linked to a
DC> proprietary  OS. Clients are responsible for security.

DC> Daniel

DC> Jim McCullough wrote:

>>This is very possible.  Several scripts were available at one point in
>>time on multiple distribution sites across the internet in the
>>1997-1999 time frame.  These scripts could combine multiple attacks
>>such as teardrop, newtear, and ping of death with an option to supply
>>extra parameters into the packet.  Also included was an option to
>>include a spoof address into the packet sent.  Most of the script
>>kiddies will try to spoof their source address ( if worth half their
>>weight in salt ).  Only a truely "noob" kiddie would use their own ip
>>address.  Is it still a concern?  For some embedded OS devices it is. 
>>I know of several instances where MSDOS and OS2 are still in use for
>>production machinery.  These systems dont have patches applied very
>>often and are subject to remote attacks.  This is the main reason we
>>still see signature for attacks that are out of major circulation
>>being used.
>>
>>Jim McCullough
>>
>>On 5/2/05, Daniel Cherton <dcherton at aei.ca> wrote:
>>  
>>
>>>Hi Mark,
>>>
>>>I am not absolutely sure but, since it is a home network and I am using
>>>router/firewall and ZoneAlarm in every
>>>computer, I think it is coming from outside. I check setup and logs from
>>>ZoneAlarm and found nothing going out.
>>>Can it still be possible ?
>>>
>>>Daniel
>>>
>>>Mark Owen wrote:
>>>
>>>    
>>>
>>>>>Ping of Death Detect src:192.168.1.10:2961 dst:my-internet-ip:42617 Packet Dropped
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>Are you sure it came from the untrust and not an internal network?
>>>>
>>>>--
>>>>Mark Owen
>>>>
>>>>-------------- Sponsor Message ------------------------------------
>>>>Join us at SANSFIRE 2005 in Atlanta!
>>>>The Internet Storm Center Conference.
>>>>Details: http://www.sans.org/sansfire2005
>>>>
>>>>_______________________________________________
>>>>send all posts to list at lists.dshield.org
>>>>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>      
>>>>
>>>--
>>>No virus found in this outgoing message.
>>>Checked by AVG Anti-Virus.
>>>Version: 7.0.308 / Virus Database: 266.11.0 - Release Date: 4/29/2005
>>>
>>>-------------- Sponsor Message ------------------------------------
>>>Join us at SANSFIRE 2005 in Atlanta!
>>>The Internet Storm Center Conference.
>>>Details: http://www.sans.org/sansfire2005
>>>
>>>_______________________________________________
>>>send all posts to list at lists.dshield.org
>>>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>>>
>>>    
>>>
>>
>>-------------- Sponsor Message ------------------------------------
>>Join us at SANSFIRE 2005 in Atlanta!
>>The Internet Storm Center Conference.
>>Details: http://www.sans.org/sansfire2005
>>
>>_______________________________________________
>>send all posts to list at lists.dshield.org
>>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>>
>>
>>
>>  
>>






-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list