Re: spoofed packets to RFC 1918 addresses
From: jon schatz (jon@divisionbyzero.com)Date: 06/27/02
- Previous message: Daniel Polombo: "Re: spoofed packets to RFC 1918 addresses"
- In reply to: Dirk Koopman: "spoofed packets to RFC 1918 addresses"
- Next in thread: Robert E. Lee: "Re: spoofed packets to RFC 1918 addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jon schatz <jon@divisionbyzero.com> To: Dirk Koopman <djk@tobit.co.uk> Date: 26 Jun 2002 22:37:55 -0700
On Wed, 2002-06-26 at 08:48, Dirk Koopman wrote:
> There seems to be a "tool" about, which is somehow able to
> detect valid rfc1918 addresses behind a NATed firewall and is spoofing
> from addresses using random (usually non-existant) addresses from the
> class C on the internet side of that firewall.
i read about a tool last summer that would do an icmp scan through a
firewall. i believe it sent icmp unreachable packets to the firewall
destined for common ip addresses (10.0.0.1, 192.168.1.1, 172.16.1.1).
the firewall would send another icmp unreachable packet back to the
machine if the unroutable ip address wasn't alive (or something like
that). once the intruder has a starting ip address, the rest is
elementary. i remember this was around the same time xprobe was first
announced (xprobe == icmp remote os detection). hth.
-jon
-- jon@divisionbyzero.com || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus? www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Daniel Polombo: "Re: spoofed packets to RFC 1918 addresses"
- In reply to: Dirk Koopman: "spoofed packets to RFC 1918 addresses"
- Next in thread: Robert E. Lee: "Re: spoofed packets to RFC 1918 addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
