Our PIX has detected an IP spoof from
255.255.255.255 to one of our servers. Research
here on securityfocus reveals that some attackers
have used this technique with a destination port 515
(LPR) and source 31337 (eleet) in scanning
attempts. You can read about this at on the firewalls
list at
http://www.securityfocus.com/archive/19/187958

Our PIX does not indicate source or destination ports
perhaps because the "IP spoof" criteria was already
triggered in its logic chain, denying the packet and
making a syslog entry.

We don't have an IDS outside the firewall so I don't
have any more packet details which makes it very
hard to do proper analysis.

The only other references I've seen to something of
this nature can be found in Dragos Ruiu's
paper "Cautionary Tales: Stealth Coordinated Attack
HOWTO" at
http://www.dursec.com/articles/stealthhowto.html
when talking about DSLAM infrastructure issues
states: "In easy cases, the equipment rack will
bridge broadcast traffic between the "marshmallow"
and the target, allowing use of address resolution
traffic such as ARP and DHCP to be used for system
attacks and control. For stealth, these kinds of attack
bases are excellent too, because the broadcast
traffic is largely repetitive, very voluminous, and
mostly uninteresting, which, combined with a great
immaturity among the security tools for this kind of
traffic, make it a ripe vulnerability area"

This quote is of interest because the server in
question uses DSL.

Another reference to traffic of this nature can be
found in the excellent paper "A stateful inspection of
Firewall-1" by Dug Song, Thomas Lopatic and John
McDonald at
http://www.dataprotect.com/bh2000/blackhat-
fw1.html which states "Another possibility for evading
IP spoofing protection is to use the all-hosts multicast
address (224.0.0.1) as a mechanism for delivering
packets to the underlying operating system of the
firewall. For our demonstration, we used FWZ
encapsulation to spoof a packet from the multicast
address to our attack host, allowing us to respond
with a packet sent to the multicast address, passed
on to the firewall itself. This attack can also be
performed with broadcast addresses."

I realize that both of these references don't refer
directly to such a packet but I am curious about these
techniques.

Thank you,
Curt Wilson
Netw3

--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]