On Sun, 13 Jan 2002, Peter Jצnsson wrote: [ Sorry that this message is marked as ISO-8859-8-i and not as ISO-8859-1]
> Ok.. > > I pretty sure now that this is just snort reporting when the dns-server > sends back the data from the lookup. The dns-server just happens to send > it to some port that snort is looking for traffic on. But wont this make > it very easy to hide your attempts to connect to a backdoor ( or > something ), you spoof yourself as 10.0.0.1 and the person reading the > logs will just ignore that since they know that it's just the dns-server? The tricky part with spoofing packets is to get a reply to your packets. It should be noted that commands could be given even without reply packets, though. Suppose someone from a host far away in the internet spoofs a packet to you "from" 10.0.0.1 . Then your computer, should it choose to reply to that packet, will reply by sending a packet to 10.0.0.1 (this is UDP, and thus we're talking about single packets, and not connections, as in UDP). This packet will probably be routed to the real 10.0.0.1 . If the sender has control over one of the routers along the way, or something similar, then he can pull such a trick. BTW: If the sender is from outside of telia's network, it is probably difficult for him to slip in packets to internal hosts at all. Theoretically it is impossible, but there may cwertainly be holes in the masquerading that will allow this. If Telia have the minimal brains, they drop all packets that spoof as originating from 10.x.x.x in the entrance from the internet. -- Tzafrir Cohen /"\ mailto:[EMAIL PROTECTED] \ / ASCII Ribbon Campaign Taub 229, 972-4-829-3942, X Against HTML Mail http://www.technion.ac.il/~tzafrir / \
