tech-security: Re: Odd ipf behaviour?

Subject: Re: Odd ipf behaviour?
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: tech-security
Date: 09/20/1999 13:13:49
  by redmail.netbsd.org with SMTP; 20 Sep 1999 17:13:59 -0000
	by acheron.middleboro.ma.us (8.9.3/8.9.3) id NAA09658;
	Mon, 20 Sep 1999 13:13:50 -0400 (EDT)
Date: Mon, 20 Sep 1999 13:13:49 -0400
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
Cc: tech-security@netbsd.org
Subject: Re: Odd ipf behaviour?
Message-ID: <19990920131349.X485@acheron.middleboro.ma.us>
References: <19990919221430.L485@acheron.middleboro.ma.us> <19990920113942.A4576@antioche.lip6.fr> <19990920092544.R485@acheron.middleboro.ma.us> <19990920153611.A13646@antioche.lip6.fr> <19990920094607.U485@acheron.middleboro.ma.us> <19990920162343.C369@antioche.lip6.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <19990920162343.C369@antioche.lip6.fr>

On Mon, Sep 20, 1999 at 04:23:44PM +0200, Manuel Bouyer wrote:

> And this was coming from port 80 ... Maybe it was an attack designed to
> run with a java applet on your client or something like this ?

VERY interesting... I can see that as a possibility. It's time to go over the
machine in question with a fine-toothed comb! The machine that was evidently
targetted (I'd previously thought it was a random guess) does a good chunk of
web browsing...

Another possibility, I suppose, is that this is vaguely-legitimate activity
resulting from some random Java{script,} thing the folks on that box were
using... The machine doesn't know that there's anything strange about being
on the ten net, so maybe it advertised that inside http or something while
talking to a remote web server. It's possible, anyway, although that doesn't
explain to me why the remote web server would be accomodating and helpfully
source-route the return packets. But then, the ipopts rule didn't catch the
packets as being source-routed. <boggle>

I guess I need to learn how to do source routing and test my filters a bit,
rather than sitting confused in the dark. :)

> Well, properly configured routers shouldn't allow this traffic to go out
> from the local net, there shouldn't be that much 10.x.x.x traffic on the
> internet :)

I do seem to get a fairly substantial amount of what looks like multicast
traffic... I have no clue what it's all supposed to be. This doesn't relate
to 10.x.x.x traffic, though. <shrug> I think I'm going to start using a
different filtering scheme soon.

-- 
    Mason Loring Bliss  mason@acheron.middleboro.ma.us  They also surf who
awake ? sleep : dream;  http://acheron.ne.mediaone.net  only stand on waves.