Re: spoofing ip as broadcast
GW_at_deytriedtokillDADDYBWWwahhhh.com
Date: 12/12/03
- Next message: Tracy Kennison: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
- Previous message: bargepole: "Re: Kerio WINROUTE settings for version 5.x - help please !"
- Maybe in reply to:(deleted message) GW_at_deytriedtokillDADDYBWWwahhhh.com: "Re: spoofing ip as broadcast"
- Next in thread: NeoSadist: "Re: spoofing ip as broadcast"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Dec 2003 03:58:02 GMT
In article <JHEJWZ6L37966.9582291667@Gilgamesh-frog.org>,
<GW@deytriedtokillDADDYBWWwahhhh.com> wrote:
:There's an attack for win9x machines wherein the hacker spoofs another users
:IP so as to cause all those on the same network to consider that IP as a "broadcast"
:IP such that the all respond, kicking the user off the net. What is this called,
:how is it done and is there a defense other than a different OS?
roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) replied:----
---- I have no idea about the name, but I'm sure your description must be wrong. What would make sense as an attack would be to spoof someone else's MAC address and IP address, and send out a packet to a broadcast IP, either the subnet broadcast address or the global broadcast address. If the target service and port is something likely to be running on a number of computers, then it is possible that the replies would end up flooding the victim's machine. ---- GW@deytriedtokillDADDYBWWwahhhh.com answers: Yes, sorry, that is what I was referring to-I'm just learning this stuff now. I got a flood of packets from just about every imaginable IP that were all blocked by my firewall, but all to the same port- 8886. Apparently my box became overwhelmed and I was disconnected. However the attack I first posted about usually involves IPs of the same ISP doing the response to the broadcast or, does a global broadcast involve a wider range of responding machines? In this case, there doesn't seem to be any relationship between the IPs of the sending machine other than them sending packets to the same local port. I've run two of the best AV pgms around, that according to tests find 99+% of all trojans as well as a trojan checker and nothing was found. However I have dwnloaded some warez programs, so maybe my machine is compromised. The firewall which was dwnloaded from the mfg, is supposedly one of the best shows no connections being attempted for out packets, only blocking of flood of in packets. This occurred shortly after going online, using a socksified program to usenet (btw, are socks protocol packets picked up by firewalls, since it is not a usual protocol?). It persisted until I was booted from my dialup, (connection lost). The entire log consists of only a series of blocks to incoming packets from various IPs, which appear random and all to pot 8886. I did not have time to run a sniffer to try to gather more info. During this time I was downloading usenet articles through an open socks proxy. Maybe the attack came from that proxy?
- Next message: Tracy Kennison: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
- Previous message: bargepole: "Re: Kerio WINROUTE settings for version 5.x - help please !"
- Maybe in reply to:(deleted message) GW_at_deytriedtokillDADDYBWWwahhhh.com: "Re: spoofing ip as broadcast"
- Next in thread: NeoSadist: "Re: spoofing ip as broadcast"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
