Security Incidents: RE: Odd scans and stuff bouncing off firewalls

[woods () weird com (Greg A. Woods)]

[ On Tuesday, August 13, 2002 at 09:57:33 (-0700), Steve Vawter wrote: ]
> Subject: RE: Odd scans and stuff bouncing off firewalls
>
> Another reason (other than using the numbers for cash) that I can see is 
> that they might better help decipher where an attack that made it 
> through the filters came from. If you only have the few packets that 
> made it through to use to backtrack to an attacker, it may be harder to 
> find them.
>
> But, of course, without the right data filters, finding the pattern in 
> the chaos is near impossible sometimes...
The "normal chaos" is only part of the problem.  A well executed attack
may very well re/miss-direct your response to exactly the wrong source,
giving the real attacker even more time to disappear into the wires....

Unless the suspected source happens to have logged the very same traffic
(or the attacker is just asking to get caught) then it's still in this
day and age impossible to use source addresses and other such indicators
as any even remotely reliable means of idenifying the source of any real
attack.

-- 
                                                                Greg A. Woods

+1 416 218-0098;            <g.a.woods () ieee org>;           <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com