Re: TCP-ACK vulnerability (was RE: SSH on the router)

["Stephen J. Wilcox" <steve () telecomplete co uk>]

On Thu, 10 Jun 2004, Sean Donelan wrote:

> On Wed, 9 Jun 2004, Alexei Roudnev wrote:
> > This is minor exploit - usually you set up VLAN1 interface with IP addres,
> > which is filterd out from outside. Moreover, there is not any good way to
> > find switch IP - it is transparent for user's devices.
>
> Yeah, port scanners are so rare on the Internet they'll never find your
> IP address.  Its not as if the switches have an easy to detect banner
> signature, and everyone uses out-of-band management for all their network
> equipment.

I demonstrated the other approach recently.. we all tend to reserve IP space in
blocks for internal and management use, providing you can find out the block
that a particualr ISP is using (eg from traceroute), you can rDNS to find lots
of interesting and nicely labelled devices that dont show up in traceroutes.. 
such as loopbacks, switches, other stuff..

Sprint did an interesting presentation at San Francisco, they have successfully 
taken p2p addresses out of their IGP and BGP, and are using private addresses 
for loopbacks and other things that dont need to be in public space and are 
filtering as much as possible.

Steve