Title: Message
|
Hi
Rick,
there
are a number of important points missing here...any responses to the
spoofed addresses may as you indicate be directed at the Internet by
default routes on your host systems but presumably you
have firewalls in place (good one's I hope !) - these spoofed packets
will therefore be blocked because there will be an outbound TCP ACK packet
with no corresponding inbound session entry on the firewall itself (basic
firewall stuff) - the packet should be dropped immediately.
Even
if the ISS stealth scan is modifying the flags/ packet structure & doing
clever things etc it should not be getting past your firewall. If the port is
closed on your host and you happen to send back
ICMP unreachable's then even this should not be allowed from your
internal system via the firewall (and again a good rulebase will stop
this). If UDP scanning is implemented in the ISS scanner
(not sure if it is or not) then your rulebase should be blocking the
majority of outbound ports anyway, for the packets
that may get through they will be heading for a specific address and just
be dropped by that targets address ! It may be possible that there would be a
small amount of info.leakage through the firewall but you would need to be
sniffing at the right time & in the right place on the network to
gleen this info. & even then you will be sending from the source IP
address of the firewall itself - this should just not be an an
issue if you have the right network / security infra-structure in
place.
Adrian
Brindley
CGE&Y
-----Original
Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: 17 July 2003 13:51
To:
[EMAIL PROTECTED]
Subject: RE: [ISSForum] Internet Scanner 7 - IP
Spoofing
Does
this happen with Internet Scanner 6.2.1?
Sharing a lesson
learned.
Internet Scanner version 7 has a check for Stealth Port
Scanning. The documentation states that the check spoofs an IP address,
however what you don't know is something I found out the hard way.
When the Stealth scan occurs it uses a Raw
Packet Server that is designed to spoof the IP addresses. What happens is that
the IP address of the system used to perform the scans is reversed. For
example, the scanner's IP address is 205.30.112.25, it becomes 25.112.30.205
when it is spoofed, and this is the address used to perform a stealth port
scan. The target system being probed responds to the spoofed IP address. Since
this address is not part of our domain the response is routed to the Internet!
Not a good idea! So now you are spewing responses from all the internal IP
addresses out the internet to a spoofed address. It is conceivable that
someone watching your domain could pick up on this behavior and learn what the
IP address of your scanner is, plus collect IP address of all your internal
systems. This may not be good idea if you have mission critical or classified
systems that you were scanning for vulnerabilities. I think this is a breach
of internal information that should not be happening, and that the user
community needs to know about. Fortunately we monitor our outgoing traffic at
the firewall and picked this up quickly. I confirmed this behavior with ISS
and they responded that the check is performing as designed! However they
would look into updating the documentation. You can confirm this by performing
a scan and watching the firewall, then search the session log for Stealth and
you will see what happens.
Rick Berg
Pacific
Northwest National
Laboratories
********************************************************************************************
" This message contains information that may be privileged or confidential and
is the property of the Cap Gemini Ernst & Young Group. It is intended only for
the person to whom it is addressed. If you are not the intended recipient, you
are not authorized to read, print, retain, copy, disseminate, distribute, or use
this message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message ".
********************************************************************************************
|
