Security Incidents mailing list archives
Re: spoofed packets to RFC 1918 addresses
From: jon schatz <jon () divisionbyzero com>
Date: 26 Jun 2002 22:37:55 -0700
On Wed, 2002-06-26 at 08:48, Dirk Koopman wrote:
There seems to be a "tool" about, which is somehow able to detect valid rfc1918 addresses behind a NATed firewall and is spoofing from addresses using random (usually non-existant) addresses from the class C on the internet side of that firewall.
i read about a tool last summer that would do an icmp scan through a firewall. i believe it sent icmp unreachable packets to the firewall destined for common ip addresses (10.0.0.1, 192.168.1.1, 172.16.1.1). the firewall would send another icmp unreachable packet back to the machine if the unroutable ip address wasn't alive (or something like that). once the intruder has a starting ip address, the rest is elementary. i remember this was around the same time xprobe was first announced (xprobe == icmp remote os detection). hth. -jon -- jon () divisionbyzero com || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus? www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- spoofed packets to RFC 1918 addresses Dirk Koopman (Jun 26)
- Re: spoofed packets to RFC 1918 addresses measl (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Kent Hundley (Jun 27)
- Re: spoofed packets to RFC 1918 addresses Barry Irwin (Jun 28)
- Re: spoofed packets to RFC 1918 addresses Daniel Polombo (Jun 27)
- Re: spoofed packets to RFC 1918 addresses jon schatz (Jun 27)
- Re: spoofed packets to RFC 1918 addresses Robert E. Lee (Jun 27)
- <Possible follow-ups>
- RE: spoofed packets to RFC 1918 addresses Shane Carroll (Jun 27)
- Fw: spoofed packets to RFC 1918 addresses HggdH (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Sterling, Chuck (Jun 28)
- RE: spoofed packets to RFC 1918 addresses Keith T. Morgan (Jun 28)