Re: spoofed packets to RFC 1918 addresses

From: jon schatz (jon@divisionbyzero.com)
Date: 06/27/02


From: jon schatz <jon@divisionbyzero.com>
To: Dirk Koopman <djk@tobit.co.uk>
Date: 26 Jun 2002 22:37:55 -0700


On Wed, 2002-06-26 at 08:48, Dirk Koopman wrote:
> There seems to be a "tool" about, which is somehow able to
> detect valid rfc1918 addresses behind a NATed firewall and is spoofing
> from addresses using random (usually non-existant) addresses from the
> class C on the internet side of that firewall.

i read about a tool last summer that would do an icmp scan through a
firewall. i believe it sent icmp unreachable packets to the firewall
destined for common ip addresses (10.0.0.1, 192.168.1.1, 172.16.1.1).
the firewall would send another icmp unreachable packet back to the
machine if the unroutable ip address wasn't alive (or something like
that). once the intruder has a starting ip address, the rest is
elementary. i remember this was around the same time xprobe was first
announced (xprobe == icmp remote os detection). hth.

-jon

-- 
jon@divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus? www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."