lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1091551732.525.158.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: FW: Question for DNS pros

On Tue, 2004-08-03 at 10:21, Paul Schmehl wrote:
> That's interesting.  The address being targeted here was *also* a firewall 
> PAT address.  I'm starting to wonder if this is some sort of a recon tool 
> to get past firewalls.  That would explain why they're using port 53 
> (normally open) and udp (stateless).  If they get any kind of response at 
> all, they've identified a live host.

I'm not sure it qualifies as a recon as it only hits the firewall
address, no other address. It seems to know the exact address. It
appears to be triggered by something that originates from our networks,
but I wasn't able to capture anything. It may be as old as a bounce
email a month ago, or access to a web site a month ago. The dump
supplied was filtered on that one address over most of the night. As you
can see there are no packets going to that address and provoking this
traffic as a response. Considering the thing on my end started last
week, it seems plausible that the trigger occurred around that time, or
even earlier (as there were one or two probes over a month ago).

Also worth noting is that this is on a single address within the main
two class C's. This client also has other networks connected to the
Internet which carry local traffic, and these do not receive these
probes. The vast majority (of this large shop) goes through the
redundant class C's. So the trigger appears to be rather rare and not
wide spread. Also noteworthy is the fact that this client is pretty
clean when it comes to viruses, so I'm ruling that out as a trigger as
well. But something had to have happened as it is so targeted....
hopefully through correlation we can shed some light on this. 

Later,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040803/b7cb8e83/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ