"Scott C. Best" wrote:
>
> mds:
> Huh. These are interesting:
>
> > Jun 15 23:50:55 bluetrout kernel: Packet log: input DENY eth0 PROTO=17
> > 192.168.0.2:137 a.b.c.d:137 L=78 S=0x00 I=1498 F=0x0000 T=107 (#11)
> >
> [snip]
> >
> > Now, the interesting things are these:
> >
> > [1] 192.168.0.2 is an DHCP leased address on our internal (eth1), masq'd
> > network -- powered OFF. How could it come in eth0, anyway?
> >
> > [2] a.b.c.d is a static address in our DMZ (eth2), which is on and on
> > which I am running an active SSH session.
>
> The most important detail here is that it was caught
> on the input chain of your eth0 interface. As long as you don't
> have the wires mixed up, I'd day unquestionably that these packets
> came from the outside. Further, the T=107 is telling: IIRC, Windoze
> machines start at 128, unix/Linux/BSD machines typically at 256.
OK, what is best documentation explaining F=, I=, L=, S= & T= ???
> Now, the 192.168.x.y is clearly not unique to your LAN.
> So, even though it's the same IP address as one you use, anyone on
> the outside could forge a packet with this source IP address. In
> fact, if someone was trying to be malicious, they might just try
> and "stuff" a packet like this into your external interface. Just
> to see if your firewall was setup at all correctly.
OK, so I can modify my outgoing packets to say that I'm coming from
192.168.1.23, or some such -- *HOW* can I get the response to those
packets returned to me at my real address? If I fool you, regarding my
source address, won't your response also goto 192.168.1.23 ???
Also, if these packets had not been DENY'ed, wouldn't response to them
be routed into my local network? Once into our firewall, how could such
responses ever get back out ???
> Lastly, let me take a guess as to *why*. Some attacks are
> blind ones, where the attacker sends packets to a machine, and
> doesn't really care what the replies are. It either succeeds or it
> does not. It's like logging onto your LRP box: I bet without looking
> at the screen, you could logon as root and flush the firewall. My
> point: if someone is sending these blind attacks to your machines
> NETBIOS ports, attempting some exploit, they might as well "sign"
> the packets so that they appear to come from your own LAN.
My concern lies in *not* being able to reliably trace exploits back to
their source!
Yes, that this is done and currently the norm with skilled scribblers is
*not* news to me; but, this incident is the perfect illustration of how
un-trustworthy the InterNet is. Not to mention, that our T-1 ISP is
actually routing RFC 1918/1627/1597 blocks across the InterNet ;<
What do you think?
--
Best Regards,
mds
mds resource
888.250.3987
"Dare to fix things before they break . . . "
"Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . . "
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
