On Wed, 02 Feb 2005 18:12:50 +0100, =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= said:
> Don't you think it's a little strange if packets with source address
> 88.88.88.88 was leaving your 10.0.0.0 network? Or packets from
> 10.0.0.33 was comming in on the WAN interface?
>
> Also, packet filtering is based on router configuration. More and more
> administrators are filtering packets with unexpected source and/or
> destination addresses ( ingress and egress filtering ).
The number of sites doing proper filtering may be growing, but it's certainly
still low enough that the attack still has a fairly high chance of working.
Also, there's another benefit to the attack - if the site isn't clued enough
to do basic bogon filtering, it's even *more* likely to throw any investigation
off in the wrong direction.
You're also missing another point - an inbound packet from 10/8 would certainly
look fishy. But would you question a packet that came in from 64.236/16
or 64.12/16 or anywhere in akadns.net's address space? (cnn.com lives in the
first, AOL's mail servers in the second, and google is an akadns beast...)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: stored
Received on Feb 02 2005
Intro
