Penetration Testing mailing list archives

RE: Re: spoofing 255.255.255.255 techniques

From: "Erik Nodland" <erik.nodland () tns co uk>
Date: Tue, 10 Jul 2001 19:27:12 +0100

Version 6.0 of the PIX software will give you port information when blocked
by ACL's. I have used this image a number of times and have no problems with
it. Getting information on what ports were being blocked on an ACL's was a
god send in certain ISP environments I was installing and in most cases was
expected/taken for granted by the customer!!

regards,

Erik


-----Original Message-----
From: MIKE.DONOFRIO () desertschools org
[mailto:MIKE.DONOFRIO () desertschools org]
Sent: 06 July 2001 21:14
To: erik.nodland () tns co uk
Subject: Fwd: Re: spoofing 255.255.255.255 techniques


Just FYI

   Using ACL's does limit the information you get to the Syslog server
compared to what you would get using Conduits.  Cisco was supposed to be
working on a fix for it.  On Revisions of code before 5.3.1 you would just
get Protocol XX (ie 6,17,1) and no port..  At least after 5.3.1 you get
TCP,UDP...  I have contacted Cisco several times on this issue and I get the
"Next Release" responce :)  Anyone know if this is fixed in 6.0?

Regards,
Mike D'Onofrio

Our PIX does not indicate source or destination ports
perhaps because the "IP spoof" criteria was already
triggered in its logic chain, denying the packet and
making a syslog entry.


It's been my experience that the PIX will not provide port information if
the packet is blocked by an ACL.  However, it *will* provide port
information if the packet is blocked because there is no "conduit"
allowing the traffic.

I'm not sure if the spoof detection mechanism supercedes this.

Hope this helps.

-Blake


----------------------------------------------------------------------------
----------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service
For more information on SecurityFocus' SIA service which automatically
alerts you to
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/


----------------------------------------------------------------------------
----------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service
For more information on SecurityFocus' SIA service which automatically
alerts you to
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/


To: pen-test () securityfocus com


This e-mail is confidential and may be privileged.
It may be read, copied and used only by the intended recipient.
If you have received it in error, please contact the sender
immediately by return e-mail or by telephoning +44 (0)1691 663000.
Please then delete the e-mail and do not disclose its contents to
any person. We believe, but do not warrant, that this e-mail and
any attachments are virus free. You should take full responsibility
for virus checking. Total Network Solutions Ltd reserve the right
to monitor all e-mail communications through their internal and
external networks.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

spoofing 255.255.255.255 techniques Curt Wilson (Jul 05)
- Re: spoofing 255.255.255.255 techniques Blake Frantz (Jul 06)
- <Possible follow-ups>
- Fwd: Re: spoofing 255.255.255.255 techniques MIKE DONOFRIO (Jul 06)
  - Re: Fwd: Re: spoofing 255.255.255.255 techniques Jason Ackley (Jul 07)
- RE: Re: spoofing 255.255.255.255 techniques Erik Nodland (Jul 11)
  - Re: Re: spoofing 255.255.255.255 techniques Ron Russell (Jul 12)