Re: IP Spoofing questions

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 03/07/04


Date: 7 Mar 2004 18:37:24 GMT

In article <5f16df6b.0403070759.5565fc91@posting.google.com>,
David Schlecht <dschl@earthlink.net> wrote:
:Is IP Spoofing still a risk if our server has good TCP sequence number
:randomization?

Yes. It's easier to blow down a straw hut, but the brick hut still
has to worry about bulldozers.

:We get numerous CGI attacks that I'm interested in reporting but don't
:know how much I can rely on our server logs source IP field.

If these are automated attacks, then I'm sorry to say that your
reports are likely going to be more or less ignored by most sites.
There's just so *many* of such attacks -- it's like trying to to file
a police report every time anyone calls in saying "I saw a person in
a black shirt drop a candy wrapper!"

If these are for selective attacks where there was some intelligence
put into you as a target (e.g., you can show a progression of probes where
they learned more about your defences and tried more specific attacks) then
you might be able to get somewhere with authorities. But I should warn
you that unless you have very good evidence lined up, "forensic quality"
[i.e., will stand up in court], then *in practice* you are probably
around 400000'th in line unless you can demonstrate that more than $10,000
(better yet, $25,000) of real damage was done... damage that excludes the
cost of cleaning up your systems afterwards.

It is not a good state of affairs, to be sure.

-- 
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.


Relevant Pages

  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • Re: [Full-disclosure] Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Full-Disclosure)
  • Re: ARP Spoofing and Routing
    ... I would like to know how to go abt spoofing arp caches, ... >What I was trying to do was arpspoof a server so that I could intercept ... Up to 75% of cyber attacks are launched on shopping carts, forms, ... Check your website for ...
    (Pen-Test)
  • RE: Penetration test of 1 IP address
    ... You could use a whole sleth of tools on some server, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Check your website for vulnerabilities to SQL injection, ... Up to 75% of cyber attacks are launched on shopping ...
    (Pen-Test)