Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Is this somme kind of Smurf attack ?

from [Wozny, Scott \(US - New York\)] Network Security [Permanent Link]
Subject: RE: Is this somme kind of Smurf attack ?
Date: Thu, 28 Oct 2004 12:25:36 -0400 
Salut Georges,
 
The SMAC in you original packet has an OID of Cisco Systems implying
that the packets were either sourced from or passed through a router.
As most versions of IOS, as stated below, don't forward DIP
255.255.255.255 packets (this can be worked around but is unlikely) you
should look into the packet data itself for more information.  The SMAC
could very well have been faked, but the tcpdump data you posted isn't
likely to provide a whole lot more information without the packet data.
I suggest capturing the packet data and taking a look at that.  There's
just too many possibilities (both malicious and benign) with the data
provided.
 
Good luck,


Scott A. Wozny 
Deloitte ERS 

        -----Original Message-----
        From: Marc a.k.a. Stelcheck [mailto:trudel_709@hotmail.com] 
        Sent: Wednesday, October 27, 2004 11:23 PM
        To: firewalls@securityfocus.com
        Subject: RE: Is this somme kind of Smurf attack ?
        
        

        If the adress 255.255.255.255 would be sent on a node on the ISP
WAN, it would be stopped right there (try to tracert 255.255.255.255
from any computer on any network and ou will see the result - the first
node to get it will keep it and/or send you an error message), so i
think that if the idea was to smurf using ICMP the SRC adress in the
stack, it would simply not work because it would be stoped on the first
node it would hit.

        My personnal guess would be that tis is due to some network
transmission of wich the ISP is the source... still i have to admit i
have no clue right now what kind  of activity could generate such
activity from the ISP...

        I might be wrong... just guessing here!

        Marc




This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law.  If 
you are not the intended recipient, you should delete this message.  Any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, is strictly prohibited.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Check Point NG/CICS mainframe question, Rob Hughes
Next by Date:  Re: Iptables rules comparation, Dave Paris
Previous by Thread:  RE: Is this somme kind of Smurf attack ?, Marc a.k.a. Stelcheck
Next by Thread:  Win XP SP2 firewall problem..., BPMK
Indexes:  [Date] [Thread] [Top] [All Lists]