Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Re: spoofing 255.255.255.255 techniques

From: "MIKE DONOFRIO" <MIKE.DONOFRIO () desertschools org>
Date: Fri, 06 Jul 2001 09:33:23 -0700
Just FYI

   Using ACL's does limit the information you get to the Syslog server compared to what you would get using Conduits.  
Cisco was supposed to be working on a fix for it.  On Revisions of code before 5.3.1 you would just get Protocol XX (ie 
6,17,1) and no port..  At least after 5.3.1 you get TCP,UDP...  I have contacted Cisco several times on this issue and 
I get the "Next Release" responce :)  Anyone know if this is fixed in 6.0?

Regards,
Mike D'Onofrio



Our PIX does not indicate source or destination ports 
perhaps because the "IP spoof" criteria was already 
triggered in its logic chain, denying the packet and 
making a syslog entry.


It's been my experience that the PIX will not provide port information if
the packet is blocked by an ACL.  However, it *will* provide port
information if the packet is blocked because there is no "conduit"
allowing the traffic.

I'm not sure if the spoof detection mechanism supercedes this.

Hope this helps.

-Blake


--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/ 


--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: