Security Incidents mailing list archives
Re: Attacking every host in the path?
From: Gamble <a629w () unb ca>
Date: Wed, 9 Jan 2002 14:20:13 -0400 (AST)
Mike, It is very possible that the attacker has run traceroute to a host on your network, attacking your routers in its path, and your upstream router, including the border router. There isn't much of other way to figure out your network without using a traceroute. You can block traceroute comming in from the Internet on your border router. In such case, the border router will stop traceroutes from going into your network with !X or !A icmp messages (Icmp protocol-prohibited, etc). The only information the attacker will have after that is basically the IP of your border router and the destination host he originally attacked. Or if you disable icmp type time-exceeded altogether on the border router, the only IP that will show up is the destination host in traceroute. That may be the one way attacker might have used. The other way is, attacker may have looked up yoru IP address in ARIN whois, and attacked the whole IP block that you might own. Hope this helps --haesu
Also, zone transfers can provide a list of machines within a domain (host -l xyz.com). Another route the attacker might have taken to get a list of machines from the network in question, is to abuse the SNMP setup which might be in place. Personally I think that it is most likly that the attacker did a zone transfer, or as mentioned above, got the information from public databases such as RIPE, ARIN, APNIC, etc. -- Jamie ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Attacking every host in the path? Mike Lewinski (Jan 08)
- Re: Attacking every host in the path? Bugtraq Mailing Lists (Jan 09)
- Re: Attacking every host in the path? Gamble (Jan 09)
- Re: Attacking every host in the path? Bugtraq Mailing Lists (Jan 09)