Full Disclosure mailing list archives
Re: ICMP Covert channels question
From: Valdis.Kletnieks () vt edu
Date: Wed, 02 Feb 2005 13:02:07 -0500
On Wed, 02 Feb 2005 18:12:50 +0100, =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= said:
Don't you think it's a little strange if packets with source address 88.88.88.88 was leaving your 10.0.0.0 network? Or packets from 10.0.0.33 was comming in on the WAN interface? Also, packet filtering is based on router configuration. More and more administrators are filtering packets with unexpected source and/or destination addresses ( ingress and egress filtering ).
The number of sites doing proper filtering may be growing, but it's certainly still low enough that the attack still has a fairly high chance of working. Also, there's another benefit to the attack - if the site isn't clued enough to do basic bogon filtering, it's even *more* likely to throw any investigation off in the wrong direction. You're also missing another point - an inbound packet from 10/8 would certainly look fishy. But would you question a packet that came in from 64.236/16 or 64.12/16 or anywhere in akadns.net's address space? (cnn.com lives in the first, AOL's mail servers in the second, and google is an akadns beast...)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: ICMP Covert channels question Stian Øvrevåge (Feb 02)
- Re: ICMP Covert channels question Valdis . Kletnieks (Feb 02)
- Re: ICMP Covert channels question Kevin (Feb 02)
- Re: ICMP Covert channels question Valdis . Kletnieks (Feb 02)