[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] [Newbie] All 0's in the source IP

To: "Eduardo Palacio Osorio" <epalacio@xxxxxxxxxx>
Subject: Re: [ISSForum] [Newbie] All 0's in the source IP
From: todb@xxxxxxxxxxxxxxxxxx
Date: Mon, 3 May 2004 09:48:39 -0500 (CDT)
Cc: Ajay Dand <ajay.dand@xxxxxxxxxxx>, issforum@xxxxxxx
Delivery-date: Mon, 03 May 2004 18:01:29 +0200
Envelope-to: iss@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Importance: Normal
In-reply-to: <011001c42f91$662c01e0$fd64a8c0@personal>
List-archive: <https://atla-mm1.iss.net/mailman/private/issforum>
List-help: <mailto:issforum-request@iss.net?subject=help>
List-id: ISS Forum <issforum.iss.net>
List-post: <mailto:issforum@iss.net>
List-subscribe: <https://atla-mm1.iss.net/mailman/listinfo/issforum>, <mailto:issforum-request@iss.net?subject=subscribe>
List-unsubscribe: <https://atla-mm1.iss.net/mailman/listinfo/issforum>, <mailto:issforum-request@iss.net?subject=unsubscribe>
References: <001601c42e6f$37a8e680$0500a8c0@noc1> <011001c42f91$662c01e0$fd64a8c0@personal>
Sender: issforum-bounces@xxxxxxx
User-agent: SquirrelMail/1.4.2

> Ajay:
> When the sensor sees events which could be using a spoofed source IP, it
> will record it as 0.0.0.0.

This thread explains it better:

http://archives.neohapsis.com/archives/iss/2003-q2/0030.html

For the lazy: when "too many" similar packets whiz by (16 in one second),
the sensor merely reports them all as 0.0.0.0 (or A.0.0.0 or A.B.0.0 or
whatever). I don't believe this 16:1 ratio is configurable through PAM or
anything, which is a shame when you're using RealSecure on a high traffic
gigabit network. (If I'm wrong please say so!)

It would seem that all an attacker has to do to cover his tracks from
RealSecure is to source his attack across 15 other IPs. The timing is
pretty tight, and only useful for fast, single-packet kills, but I'm sure
it's doable, especially if he's inside your network already.

-- 
Tod Beardsley | planb-security.net
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

References:
- Re: [ISSForum] [Newbie] All 0's in the source IP
  - From: Eduardo Palacio Osorio

Prev by Date: RE: [ISSForum] SiteProtector re-install
Next by Date: [ISSForum] Fusion E-mail
Previous by thread: Re: [ISSForum] [Newbie] All 0's in the source IP
Next by thread: [ISSForum] SiteProtector re-install
Index(es):
- Date
- Thread