[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: ICMP Covert channels question
On Wed, 02 Feb 2005 18:12:50 +0100, =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= said:
> Don't you think it's a little strange if packets with source address
> 88.88.88.88 was leaving your 10.0.0.0 network? Or packets from
> 10.0.0.33 was comming in on the WAN interface?
>
> Also, packet filtering is based on router configuration. More and more
> administrators are filtering packets with unexpected source and/or
> destination addresses ( ingress and egress filtering ).
The number of sites doing proper filtering may be growing, but it's certainly
still low enough that the attack still has a fairly high chance of working.
Also, there's another benefit to the attack - if the site isn't clued enough
to do basic bogon filtering, it's even *more* likely to throw any investigation
off in the wrong direction.
You're also missing another point - an inbound packet from 10/8 would certainly
look fishy. But would you question a packet that came in from 64.236/16
or 64.12/16 or anywhere in akadns.net's address space? (cnn.com lives in the
first, AOL's mail servers in the second, and google is an akadns beast...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050202/21aa2eac/attachment.bin
Powered by blists - more mailing lists