Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Deny IP spoof from 255.255.255.255
From: "Crist Clark" <crist.clark () globalstar com>
Date: Fri, 06 Jul 2001 13:49:06 -0700
Vitaly Osipov wrote:


this is a sample of your packet:

#(1 - 29543) [2001-06-19 01:34:54] [arachNIDS/203]  BACKDOOR Q access
IPv4: 255.255.255.255 -> x.x.x.x
      hlen=5 TOS=0 dlen=43 ID=0 flags=0 offset=0 TTL=13 chksum=45614
TCP:  port=31337 -> dport: 515  flags=***A*R** seq=0
      ack=0 off=5 res=0 win=0 urp=0 chksum=25942
Payload:  length = 3

000 : 63 6B 6F                                          cko


Yeah, those are the RST ones. They crack me up even more than the
more common SYN ones. In order for the RST ones to do anything, 
the victim must not only respond to a packet with the broadcast
address as the source, but it would have to respond to a RST which
any sane TCP implementation will never, ever, ever do.

I see a lot more of the SYN ones. They look like,

  17:22:40.938837 255.255.255.255.31337 > AAA.BBB.CC4.192.515: S 100:100(0) win 512 (ttl 242, id 62128)
  03:16:51.069740 255.255.255.255.31337 > AAA.BBB.CC5.161.515: S 100:100(0) win 512 (ttl 242, id 62128)

Note the TCP sequence number and IP ID. They are always the same. (These 
two just happen to have the same TTL, but I get a distribution).
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]