Internet Scanner Customers - In response to the posting below, ISS would like to inform Internet Scanner users that this issue is currently being addressed. The incorrect source IP address is caused by a defect in the Stealth Port Scan check. The fix is now being tested and will be implemented in the next scheduled XPU. Our recommendation is to disable this check until the XPU containing this fix has been applied. We apologize for any inconvenience that this has caused. > Regards, David
------------------------------------------------- David Abercrombie Technical Product Manager Direct: 404.236.3974 Fax: 404.236.2605 [EMAIL PROTECTED] Internet Security Systems - The Power to Protect > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 16, 2003 4:35 PM > To: [EMAIL PROTECTED] > Subject: [ISSForum] Internet Scanner 7 - IP Spoofing > > > Sharing a lesson learned. > > Internet Scanner version 7 has a check for Stealth Port Scanning. The documentation > states that the check spoofs an IP address, however what you don't know is something > I found out the hard way. > > When the Stealth scan occurs it uses a Raw Packet Server that is designed to spoof > the IP addresses. What happens is that the IP address of the system used to perform > the scans is reversed. For example, the scanner's IP address is 205.30.112.25, it > becomes 25.112.30.205 when it is spoofed, and this is the address used to perform a > stealth port scan. The target system being probed responds to the spoofed IP > address. Since this address is not part of our domain the response is routed to the > Internet! Not a good idea! So now you are spewing responses from all the internal IP > addresses out the internet to a spoofed address. It is conceivable that someone > watching your domain could pick up on this behavior and learn what the IP address of > your scanner is, plus collect IP address of all your internal systems. This may not > be good idea if you have mission critical or classified systems that you were > scanning for vulnerabilities. I think this is a breach of internal information th! at should not be happening, and that the user community needs to know about. Fortunately we monitor our outgoing traffic at the firewall and picked this up quickly. I confirmed this behavior with ISS and they responded that the check is performing as designed! However they would look into updating the documentation. You can confirm this by performing a scan and watching the firewall, then search the session log for Stealth and you will see what happens. > > > Rick Berg > Pacific Northwest National Laboratories > _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
