tech-security: Re: Odd ipf behaviour?

Subject: Re: Odd ipf behaviour?
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 09/21/1999 13:59:50
  by redmail.netbsd.org with SMTP; 21 Sep 1999 11:59:56 -0000
	by antioche.lip6.fr (8.9.3/8.9.3) with ESMTP id NAA21056;
	Tue, 21 Sep 1999 13:59:51 +0200 (MEST)
Date: Tue, 21 Sep 1999 13:59:50 +0200
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
Cc: tech-security@netbsd.org
Subject: Re: Odd ipf behaviour?
Message-ID: <19990921135950.C4814@antioche.lip6.fr>
References: <19990919221430.L485@acheron.middleboro.ma.us> <19990920113942.A4576@antioche.lip6.fr> <19990920092544.R485@acheron.middleboro.ma.us> <19990920153611.A13646@antioche.lip6.fr> <19990920094607.U485@acheron.middleboro.ma.us> <19990920162343.C369@antioche.lip6.fr> <19990920131349.X485@acheron.middleboro.ma.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <19990920131349.X485@acheron.middleboro.ma.us>; from Mason Loring Bliss on Mon, Sep 20, 1999 at 01:13:49PM -0400

On Mon, Sep 20, 1999 at 01:13:49PM -0400, Mason Loring Bliss wrote:
> On Mon, Sep 20, 1999 at 04:23:44PM +0200, Manuel Bouyer wrote:
> 
> > And this was coming from port 80 ... Maybe it was an attack designed to
> > run with a java applet on your client or something like this ?
> 
> VERY interesting... I can see that as a possibility. It's time to go over the
> machine in question with a fine-toothed comb! The machine that was evidently
> targetted (I'd previously thought it was a random guess) does a good chunk of
> web browsing...
> 
> Another possibility, I suppose, is that this is vaguely-legitimate activity
> resulting from some random Java{script,} thing the folks on that box were
> using... The machine doesn't know that there's anything strange about being
> on the ten net, so maybe it advertised that inside http or something while
> talking to a remote web server. It's possible, anyway, although that doesn't
> explain to me why the remote web server would be accomodating and helpfully
> source-route the return packets. But then, the ipopts rule didn't catch the
> packets as being source-routed. <boggle>

It would be strange to use source-route for stuss like this because:
- The server doesn't know the route
- it would be blocked in most cases anyway.
So it's either a deliberate agression, or somtheing strange with routes
in your area that installed temporary routes to 10.0.0.x

> 
> I guess I need to learn how to do source routing and test my filters a bit,
> rather than sitting confused in the dark. :)
> 
> > Well, properly configured routers shouldn't allow this traffic to go out
> > from the local net, there shouldn't be that much 10.x.x.x traffic on the
> > internet :)
> 
> I do seem to get a fairly substantial amount of what looks like multicast
> traffic...

Is your wire a  broadcast one (like ethernet) ?
Do you run mrouted ?

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--