Security Basics mailing list archives
RE: Traces
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Mon, 5 Jan 2004 11:26:16 -0800
The geographical location is something I mentioned just in case I wasn't covering the right bases and not something Fernando mentioned. I was almost positive he was talking about the source network and not the source 'location' but figured I'd throw that in there just-in-case, my apologizes. Personally I think this would only be, slightly, useful when automated and even then multiple sites off your network, backbone even, have to be under attack. Additionally it has to be from one system, or group of systems on the same netblock (CIDR or Subnet), which isn't too likely in this day-in-age. In any puppet-master/puppet situation (i.e. a master system sends a control notification to compromised hosts to launch an attack), DDoS, this method is useless. Seaming multiple systems from all over are attacking your network at the same time. I tried to think of other attack situations (MITM, etc) but was unable to find a use for it. Fernando mentioned that there is a "real-world example" in the book "Network Intrusion Detection: An Analyst's Handbook", I think Chris mentioned it also. Besides a corporate network or controlled networking environment I can't see this being too terribly useful. But then again this is coming from the guy who wants to beat script-kiddies up with a clue bat. Ending spoofing would be extremely useful, or at least finding out a way to locate the attackers when spoofing is being employed. Does IPv6 solve this issue? Personally I haven't had time to fully inspect the protocol. IMHO I think network owners should drop packets that originate from inside their network with an off network source IP. But hey, I believe in responsibility too, man I'm getting old. I'm going to head to B&N sometime this week and see if they have that book, has anyone read it, is it any good? Now let the Out-Of-Office and Undeliverable messages come, come to me!! Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Meritt James [mailto:meritt_james () bah com] Sent: Monday, January 05, 2004 10:45 AM To: Iain () mta1 horizonusa com Cc: Fernando Gont; Shawn Jackson; Gerson Sampaio; security-basics () securityfocus com Subject: Re: Traces I have gotten halfway around the world (was accessing a New Zealand database) with few (single-digit) hope and have also seen a dozen miles take multiple (double-digit, the first digit neither one or two) hops. Unless you are concerned with network location and have dropped the geographical location idea, of course. I've also seen the same subnet go across multiple nations (corporate network) and multiple subnets in the same building. I recommend against confusing apples with oranges. Jim Jimi Thompson wrote:
Physically locating people via "hops" isn't a very viable method.
-- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Re: Traces, (continued)
- Re: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
- RE: Traces Fernando Gont (Jan 02)
- Re: Traces Jimi Thompson (Jan 05)
- Re: Traces Meritt James (Jan 05)
- Re: Traces Fernando Gont (Jan 06)
- RE: Traces Fernando Gont (Jan 02)
- RE: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
- RE: Traces Meidinger Chris (Jan 05)
- RE: Traces Fernando Gont (Jan 06)
- RE: Traces Shawn Jackson (Jan 05)
- Re: Traces Meritt James (Jan 05)
- RE: Traces Fernando Gont (Jan 06)
- RE: Traces Shawn Jackson (Jan 06)
- RE: Traces Fernando Gont (Jan 19)
- RE: Traces Shawn Jackson (Jan 19)