[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Security : Port scanning

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Re: Security : Port scanning
From: "Chris J" <cej [at] xxxxxxxxxxxxxxxx>
Date: Thu, 8 May 2003 12:20:30 +0100 (BST)
Delivered-to: shef-lug [at] list.sheflug.org.uk
Importance: Normal
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx
User-agent: SquirrelMail/1.4.0

And Lo! Tthe Great Prophet " M" uttered these words of wisdom...
> Richard Ibbotson <richard [at] sheflug.co.uk> wrote:
>
>>
>> Lot of scanning going on from spoofed and falsified addresses.
>
> Spoofing an adress for port scanning isn't likely to be of much
> use as you can't see the results coming back or am I missing something?

Well, it is possible to put source routing in an IP header, so a spoofed
packet can get back if there's a route it can follow. I don't know how
many routers drop source routed packets these days -- certainly border
gateways and bastions /should/ drop source routed packets, as their origin
is unknown and could be hostile.

But inside a trusted network, there may be occasions when source routing
is beneficial or needed (no I can't think of any examples, but the option
is there).

Spoofing inside a trusted network though can work ... especially if you're
targeting machines on the same subnet. You can send stuff out from
1.2.3.4, open the interface as promiscuous and look at rejects heading
back to 1.2.3.4. A bot that does this, controlled by an external host,
could be untracable.

Spoofing is much better for DOS and DDOS attacks. You don't care about the
return packets, and if anything spoofing an IP address can help the DOS as
the target's machine, or the immediate downstream router may end up
generating ICMP packets saying "host/protocol/route unrechable", giving
the attacker 2 network packets for the price of 1.

Chris...

-- 
\ Chris Johnson                 \
 \ cej [at] nightwolf.org.uk          \
  \ http://cej.nightwolf.org.uk/  ~-----------------------------------+
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____

___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

Follow-Ups:
- Re: [Sheflug] Re: Security : Port scanning
  - From: M

References:
- RE: [Sheflug] Re: Security : Port scanning
  - From: Morris, David (Allvac, UK)
- Re: [Sheflug] Re: Security : Port scanning
  - From: M

Prev by Date: [Sheflug] Re: Security : Port scanning
Next by Date: [Sheflug] Advanced printer driver settings
Previous by thread: [Sheflug] Re: Security : Port scanning
Next by thread: Re: [Sheflug] Re: Security : Port scanning
Index(es):
- Date
- Thread