Security Incidents mailing list archives
Re: Hiding IP addresses in trace data
From: Jose Nazario <jose () monkey org>
Date: Mon, 21 Oct 2002 19:13:45 -0400 (EDT)
On Mon, 21 Oct 2002, John Kristoff wrote:
Too often it seems that people are attempting to hide their IP address by masking the obvious dotted decimal notated number in various trace data.
well said, john. this is actually a very difficult situation on many fronts, one of them being the discussion of security issues in an open forum. at usenix security 2002, someone working with vern paxson discussed some efforts they are making to develop software and infrastructure which allows for the scrubbing of the true address but the preservation of unique identifiers within the set of traces and flows. note that the scrubbing of identifiable data goes well beyond headers (in both decimal and hex, when appropriate) and into the payload. a lot of useful information stays in the payload. hence, this is a very tough problem. one set of tools available to do this is catalogged at: http://ita.ee.lbl.gov/html/software.html have a look, and keep safe/private/confidential. ___________________________ jose nazario, ph.d. jose () monkey org http://www.monkey.org/~jose/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- a different, stranger port 137 activity Wisniewski, Michael (Oct 18)
- Re: a different, stranger port 137 activity H C (Oct 20)
- Hiding IP addresses in trace data John Kristoff (Oct 21)
- Re: Hiding IP addresses in trace data Jose Nazario (Oct 21)
- Re: Hiding IP addresses in trace data Russell Fulton (Oct 21)
- Re: Hiding IP addresses in trace data Jose Nazario (Oct 21)
- <Possible follow-ups>
- Re: a different, stranger port 137 activity daniele.muscetta (Oct 24)