| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: ICMP Covert channels question On Wed, 02 Feb 2005 18:12:50 +0100, =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= said: > Don't you think it's a little strange if packets with source address > 88.88.88.88 was leaving your 10.0.0.0 network? Or packets from > 10.0.0.33 was comming in on the WAN interface? > > Also, packet filtering is based on router configuration. More and more > administrators are filtering packets with unexpected source and/or > destination addresses ( ingress and egress filtering ). The number of sites doing proper filtering may be growing, but it's certainly still low enough that the attack still has a fairly high chance of working. Also, there's another benefit to the attack - if the site isn't clued enough to do basic bogon filtering, it's even *more* likely to throw any investigation off in the wrong direction. You're also missing another point - an inbound packet from 10/8 would certainly look fishy. But would you question a packet that came in from 64.236/16 or 64.12/16 or anywhere in akadns.net's address space? (cnn.com lives in the first, AOL's mail servers in the second, and google is an akadns beast...) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050202/21aa2eac/attachment.bin
Powered by blists - more mailing lists