Security Incidents mailing list archives

Re: Hiding IP addresses in trace data

From: Jose Nazario <jose () monkey org>
Date: Mon, 21 Oct 2002 19:13:45 -0400 (EDT)

On Mon, 21 Oct 2002, John Kristoff wrote:

Too often it seems that people are attempting to hide their IP address
by masking the obvious dotted decimal notated number in various trace
data.


well said, john. this is actually a very difficult situation on many
fronts, one of them being the discussion of security issues in an open
forum. at usenix security 2002, someone working with vern paxson discussed
some efforts they are making to develop software and infrastructure which
allows for the scrubbing of the true address but the preservation of
unique identifiers within the set of traces and flows.

note that the scrubbing of identifiable data goes well beyond headers (in
both decimal and hex, when appropriate) and into the payload. a lot of
useful information stays in the payload. hence, this is a very tough
problem.

one set of tools available to do this is catalogged at:

        http://ita.ee.lbl.gov/html/software.html

have a look, and keep safe/private/confidential.

___________________________
jose nazario, ph.d.                     jose () monkey org
                                        http://www.monkey.org/~jose/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

a different, stranger port 137 activity Wisniewski, Michael (Oct 18)
- Re: a different, stranger port 137 activity H C (Oct 20)
- Hiding IP addresses in trace data John Kristoff (Oct 21)
  - Re: Hiding IP addresses in trace data Jose Nazario (Oct 21)
    - Re: Hiding IP addresses in trace data Russell Fulton (Oct 21)
- <Possible follow-ups>
- Re: a different, stranger port 137 activity daniele.muscetta (Oct 24)