Re: Attacking every host in the path?

[Gamble <a629w () unb ca>]

> Mike,
>       It is very possible that the attacker has run traceroute to a host
> on your network, attacking your routers in its path, and your upstream
> router, including the border router. There isn't much of other way to
> figure out your network without using a traceroute. You can block
> traceroute comming in from the Internet on your border router. In such
> case, the border router will stop traceroutes from going into your network
> with !X or !A icmp messages (Icmp protocol-prohibited, etc). The only
> information the attacker will have after that is basically the IP of your
> border router and the destination host he originally attacked. Or if you
> disable icmp type time-exceeded altogether on the border router, the only
> IP that will show up is the destination host in traceroute.
>
> That may be the one way attacker might have used. The other way is,
> attacker may have looked up yoru IP address in ARIN whois, and attacked
> the whole IP block that you might own.
>
> Hope this helps
>
> --haesu


Also, zone transfers can provide a list of machines within a domain 
(host -l xyz.com).  Another route the attacker might have taken to get 
a list of machines from the network in question, is to abuse the SNMP
setup which might be in place.  

Personally I think that it is most likly that the attacker did a zone
transfer, or as mentioned above, got the information from public databases
such as RIPE, ARIN, APNIC, etc.

-- Jamie


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com