Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I was scaned

From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Sun, 23 Jan 2000 22:29:52 -0500

On Sat, 22 Jan 2000, Robert Graham wrote:


Your log does show something new, however. The attacker is putting the
source port as 53 in order to pentrate firewalls. Many stateless firewalls
allow any incoming UDP packet with a source port of 53 on the assumption
that it is a DNS response, but hackers can exploit this to send any data
through the firewall. We put this in the first version of our BlackICE
intrusion detection system, but we haven't seen this trigger often. Maybe
hackers are wising up to this technique.


sounds like someone's learned to use Firewalk. basically, by abusing a way
in (like 53/UDP) they can map your network. the paper is rather neat on
the subject:

        http://www.packetfactory.net/firewalk/

it's also explained rather well in "Hacking Exposed".

a good stateful firewall will see an inbound packet with no corresponding
outbound packet (and hence no stimulus) and drop it. that should thwart
most probes of this type, i believe.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Previous By Date Next
Previous By Thread Next

Current thread: