Security Incidents mailing list archives
Re: I was scaned
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Sun, 23 Jan 2000 22:29:52 -0500
On Sat, 22 Jan 2000, Robert Graham wrote:
Your log does show something new, however. The attacker is putting the source port as 53 in order to pentrate firewalls. Many stateless firewalls allow any incoming UDP packet with a source port of 53 on the assumption that it is a DNS response, but hackers can exploit this to send any data through the firewall. We put this in the first version of our BlackICE intrusion detection system, but we haven't seen this trigger often. Maybe hackers are wising up to this technique.
sounds like someone's learned to use Firewalk. basically, by abusing a way in (like 53/UDP) they can map your network. the paper is rather neat on the subject: http://www.packetfactory.net/firewalk/ it's also explained rather well in "Hacking Exposed". a good stateful firewall will see an inbound packet with no corresponding outbound packet (and hence no stimulus) and drop it. that should thwart most probes of this type, i believe. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Re: Large quantity of traffic from amazon.com - source_port 3000 Chris (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Joseph Geyer (Jan 17)
- <Possible follow-ups>
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Robert Graham (Jan 19)
- Socks port 1080 Heman Leopando (Jan 20)
- Re: Socks port 1080 Russell Fulton (Jan 20)
- I was scaned C. (Jan 20)
- Re: I was scaned Robert Graham (Jan 22)
- Re: I was scaned Jose Nazario (Jan 23)
- Re: I was scaned Gene Harris (Jan 23)
- Re: I was scaned Keith Owens (Jan 24)
- Got scaned again C. (Jan 24)
- ? C. (Jan 24)
- Re: ? Mike Tancsa (Jan 24)
- Re: ? Brock Sides (Jan 24)
- Re: unapproved AXFR Russell Fulton (Jan 24)
- No Idea CN (Jan 25)
- PC Anywhere client seems to probe class C of connected networks Troy Ablan (Jan 25)
- Re: PC Anywhere client seems to probe class C of connected networks Steve Ellermann (Jan 26)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)