Re: Interesting call for research...

[Curt Wilson <curtw () siu edu>]

Dave Aitel wrote:

> > halvar () gmx de wrote:
>  
>
> > > > http://cryptome.org/traceback.htm
> >    
> >
> >
> >
> > I like to consider the list of things attackers can do a "To-Do" list. :>
> >
> > "Research on collection should consider means and technologies to be
> > used in host devices in order to watermark or otherwise tag network
> > traffic (e.g., time perturbation, resetting protocol parameters)."
>  
I'm mostly a lurker here for some time but find this topic interesting.

Given a web application attack for instance, how about the possibilities 
of injecting traffic back towards the attacking party (for instance, an 
HTTP redirect to force an authoritative DNS reply from a nameserver 
under the monitoring parties control)  that forces an attacking host 
that's proxying protocols such as HTTP to use it's own true net 
connection (non proxied protocol/traffic type) to place an entry in a 
dedicated monitoring log.  I'm not sure of the details of this idea, but 
I'd guess that if it did work from the defending side, it could be 
circumvented by tight control of outbound packets from the attacking 
host (all packets must go through proxy or redirection point, else drop, 
even if the packets appear "stateful").   Even if such a technique 
worked, from the defending side, how could one detect the use of VNC, 
remote access trojan, remote desktop scenarios? I suppose from the 
defenders perspective if it gets you closer to the true source it's 
useful. From attacker perspective, so many interesting ways to hide.





_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave