Security Incidents mailing list archives
RE: Odd scans and stuff bouncing off firewalls
From: woods () weird com (Greg A. Woods)
Date: Tue, 13 Aug 2002 15:01:36 -0400 (EDT)
[ On Tuesday, August 13, 2002 at 09:57:33 (-0700), Steve Vawter wrote: ]
Subject: RE: Odd scans and stuff bouncing off firewalls Another reason (other than using the numbers for cash) that I can see is that they might better help decipher where an attack that made it through the filters came from. If you only have the few packets that made it through to use to backtrack to an attacker, it may be harder to find them. But, of course, without the right data filters, finding the pattern in the chaos is near impossible sometimes...
The "normal chaos" is only part of the problem. A well executed attack may very well re/miss-direct your response to exactly the wrong source, giving the real attacker even more time to disappear into the wires.... Unless the suspected source happens to have logged the very same traffic (or the attacker is just asking to get caught) then it's still in this day and age impossible to use source addresses and other such indicators as any even remotely reliable means of idenifying the source of any real attack. -- Greg A. Woods +1 416 218-0098; <g.a.woods () ieee org>; <woods () robohack ca> Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Odd scans and stuff bouncing off firewalls Steve Vawter (Aug 13)
- RE: Odd scans and stuff bouncing off firewalls Greg A. Woods (Aug 13)
- <Possible follow-ups>
- Re: Odd scans and stuff bouncing off firewalls Craig Billado (Aug 13)
- RE: Odd scans and stuff bouncing off firewalls Edwards, David (JTS) (Aug 14)