> -----Original Message----- > From: Dimitris Chontzopoulos [mailto:[EMAIL PROTECTED] > Sent: 11 July 2003 17:37 > To: 'Gareth Blades' > Subject: RE: [Full-Disclosure] RE: Attack profiling tool? > > > I am not trying to start a technical debate over things here, but, AFAIK > you shouldn't blame the product (FW-1) if the reseller wasn't able to > configure it ;-)
Very true but we did install it ourselves and go through all the options and configure everything which would help the defence. This was a few months ago and I believe there has been a new version since then. I wasn't involved with the testing myself so I cannot say what the exact configuration was. > <Yes we are limiting the number of connections but we are doing it > selectivly by not allowing the attacker to make new connections but > allowing everyone else to...> > > You can also do that with FW-1, not to mention "Smart Defense" and > "Application Inteligence" that give the product a great push so as to > not be thought as a common "Stateful Packet Inspection Technology > Firewall" ;-) But this is another issue, clearly not belonging in this > list ;-) What version where these options available in? Are they additional license or software options? It would be interesting to see how well they work. > <The particular machine is a demo server so anyone may connect...> > > Maybe it is but when I tried to connect I was prompted for a > username/password... This is where my "lucky guessing" regarding "Brute > Force" was made. There is form on our website where people request access to the box and are emailed the password straight away. You wern't to know this though. > <They are TCP connections and as the client is completing the handshake > they cannot be spoofing the source address. If the source address was > spoofed then they would not get the SYN-ACK packet which they reply to, > to complete the connection...> > > Who said anything about a three-way TCP handshake session? I am merely > saying that the attacker CAN spoof other IP Addresses by sending SYN > packets without expecting a SYN/ACK. Isn't that possible? I think so. Sorry I assumed you had looked at the packet capture URL I originally posted which shows the TCP handshake session being established. > <I don't think they are trying to brute force the console as once the > TCP connection is established there is no furthur data transfer until > they close the connections.> > > This is why I mentioned "PortFuck". Download it from astalavista.box.sk > and give it a try (you should disable your AV though because it is > recognized as a "BAD tool"). Then all you have to do is tell "PortFuck" > to connect to the IP Address attacked, open lots-lots-lots of > connections to port 443 and you can have your favorite "Sniffer" or > Webgear capturing. Then all you have to do is examine the data pattern > from "PortFuck" against the data pattern you allready have. Thanks I will have a look at that when I get in Monday. > Cheers, > > Dimitris. > > P.S. Don't take it personaly, I am just trying to justify what I say. No offense taken Regards Gareth _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
