Penetration Testing mailing list archives
spoofing 255.255.255.255 techniques
From: Curt Wilson <netw3 () netw3 com>
Date: 5 Jul 2001 22:17:04 -0000
Our PIX has detected an IP spoof from 255.255.255.255 to one of our servers. Research here on securityfocus reveals that some attackers have used this technique with a destination port 515 (LPR) and source 31337 (eleet) in scanning attempts. You can read about this at on the firewalls list at http://www.securityfocus.com/archive/19/187958 Our PIX does not indicate source or destination ports perhaps because the "IP spoof" criteria was already triggered in its logic chain, denying the packet and making a syslog entry. We don't have an IDS outside the firewall so I don't have any more packet details which makes it very hard to do proper analysis. The only other references I've seen to something of this nature can be found in Dragos Ruiu's paper "Cautionary Tales: Stealth Coordinated Attack HOWTO" at http://www.dursec.com/articles/stealthhowto.html when talking about DSLAM infrastructure issues states: "In easy cases, the equipment rack will bridge broadcast traffic between the "marshmallow" and the target, allowing use of address resolution traffic such as ARP and DHCP to be used for system attacks and control. For stealth, these kinds of attack bases are excellent too, because the broadcast traffic is largely repetitive, very voluminous, and mostly uninteresting, which, combined with a great immaturity among the security tools for this kind of traffic, make it a ripe vulnerability area" This quote is of interest because the server in question uses DSL. Another reference to traffic of this nature can be found in the excellent paper "A stateful inspection of Firewall-1" by Dug Song, Thomas Lopatic and John McDonald at http://www.dataprotect.com/bh2000/blackhat- fw1.html which states "Another possibility for evading IP spoofing protection is to use the all-hosts multicast address (224.0.0.1) as a mechanism for delivering packets to the underlying operating system of the firewall. For our demonstration, we used FWZ encapsulation to spoof a packet from the multicast address to our attack host, allowing us to respond with a packet sent to the multicast address, passed on to the firewall itself. This attack can also be performed with broadcast addresses." I realize that both of these references don't refer directly to such a packet but I am curious about these techniques. Thank you, Curt Wilson Netw3 -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- spoofing 255.255.255.255 techniques Curt Wilson (Jul 05)
- Re: spoofing 255.255.255.255 techniques Blake Frantz (Jul 06)
- <Possible follow-ups>
- Fwd: Re: spoofing 255.255.255.255 techniques MIKE DONOFRIO (Jul 06)
- Re: Fwd: Re: spoofing 255.255.255.255 techniques Jason Ackley (Jul 07)
- RE: Re: spoofing 255.255.255.255 techniques Erik Nodland (Jul 11)
- Re: Re: spoofing 255.255.255.255 techniques Ron Russell (Jul 12)