RE: Traces

["Shawn Jackson" <sjackson () horizonusa com>]

        The geographical location is something I mentioned just in case
I wasn't covering the right bases and not something Fernando mentioned.
I was almost positive he was talking about the source network and not
the source 'location' but figured I'd throw that in there just-in-case,
my apologizes. 

        Personally I think this would only be, slightly, useful when
automated and even then multiple sites off your network, backbone even,
have to be under attack. Additionally it has to be from one system, or
group of systems on the same netblock (CIDR or Subnet), which isn't too
likely in this day-in-age. In any puppet-master/puppet situation (i.e. a
master system sends a control notification to compromised hosts to
launch an attack), DDoS, this method is useless. Seaming multiple
systems from all over are attacking your network at the same time. I
tried to think of other attack situations (MITM, etc) but was unable to
find a use for it. Fernando mentioned that there is a "real-world
example" in the book "Network Intrusion Detection: An Analyst's
Handbook", I think Chris mentioned it also.

        Besides a corporate network or controlled networking environment
I can't see this being too terribly useful. But then again this is
coming from the guy who wants to beat script-kiddies up with a clue bat.
Ending spoofing would be extremely useful, or at least finding out a way
to locate the attackers when spoofing is being employed. Does IPv6 solve
this issue? Personally I haven't had time to fully inspect the protocol.
IMHO I think network owners should drop packets that originate from
inside their network with an off network source IP. But hey, I believe
in responsibility too, man I'm getting old.

I'm going to head to B&N sometime this week and see if they have that
book, has anyone read it, is it any good? Now let the Out-Of-Office and
Undeliverable messages come, come to me!!

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com] 
Sent: Monday, January 05, 2004 10:45 AM
To: Iain () mta1 horizonusa com
Cc: Fernando Gont; Shawn Jackson; Gerson Sampaio;
security-basics () securityfocus com
Subject: Re: Traces

I have gotten halfway around the world (was accessing a New Zealand
database) with few (single-digit) hope and have also seen a dozen miles
take multiple (double-digit, the first digit neither one or two) hops. 
Unless you are concerned with network location and have dropped the
geographical location idea, of course.  I've also seen the same subnet
go across multiple nations (corporate network) and multiple subnets in
the same building.  I recommend against confusing apples with oranges.

Jim

Jimi Thompson wrote:

> Physically locating people via "hops" isn't a very viable method. 

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------