Security Incidents: spoofed packets to RFC 1918 addresses

[Dirk Koopman <djk () tobit co uk>]

There seems to be a "tool" about, which is somehow able to
detect valid rfc1918 addresses behind a NATed firewall and is spoofing
from addresses using random (usually non-existant) addresses from the
class C on the internet side of that firewall.

It isn't doing them any good as the packets are being dumped before they
get to the 'visible' class C (as I am making sure that packets from that
class C emanate only from the interface attached to that class C). 

However, I am interested to know:

a) how the attackers are able to "guess" correct (ie existing) rfc1918
addresses as, AFAIK, these are not being leaked thru the firewall.  

b) how these packets are getting to me in the first place as they don't
seem to be source routed. 

c) which "tool" is doing this anyway.

Regards

Dirk Koopman
-- 
Please Note: Some Quantum Physics Theories Suggest That When the 
Consumer Is Not Directly Observing This Product, It May Cease to 
Exist or Will Exist Only in a Vague and Undetermined State.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com