[NTLUG:Discuss] Re: How does 'ip address spoofing work'?

[Vaidya, Harshal (Cognizant)]

Now that you are attacked the only thing coming to my mind is to suggest
you to change the passwords regularly to beat all their attempts to
guess the passwords.

If possible, you can deny all these 180 public proxy IP addresses to
your server.

.. Just a thought.

Thanks and Regards,
Harshal.

-----Original Message-----
From: David [mailto:david at hayes-family.org] 
Sent: Sunday, July 06, 2003 7:45 AM
To: NTLUG Discussion List
Subject: Re: [NTLUG:Discuss] Re: How does 'ip address spoofing work'?


On Sat, Jul 05, 2003 at 01:00:41PM -0500, Jack Snodgrass wrote:
> something I hadn't thought of.... I checked several of
> the IP Addresses on Goggle. These IP Addresses are
> public proxy servers. So... the hacker just sends his
> request through the proxy server and hides his tracks
> even more. 

Your probably more on target here.  Your log records are showing URLs
requested.  That can't happen until the third packet of a TCP session --
SYN; SYN-ACK; then first data packet.  For you to see URLs in your log
files, you know that there must have been a bidirectional exchange of
packets.  That's exceedingly difficult to do while spoofing the source
address.  In fact, it can't be done, unless the system doing the
spoofing is somewhere along the route your packets are taking.  

If the goal were a simple denial-of-service, mere packet flooding with
spoofed addresses would work.  The fact that the attacker is attempting
to get a reply suggests that they are trying to guess passwords. 

-- 
David Hayes
david at hayes-family.org

_______________________________________________
https://ntlug.org/mailman/listinfo/discuss
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: InterScan_Disclaimer.txt
Url: http://ntlug.org/pipermail/discuss/attachments/20030707/ba53f9b1/InterScan_Disclaimer.txt