Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Odd packet?

from [Mike Klinke] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Odd packet?
Date: Wed, 26 May 2004 08:29:30 -0500 
On Wednesday 26 May 2004 04:05, Valentino Squilloni - Ouz wrote:

On Wed, 26 May 2004, Steffen Schumacher wrote:

[]


However, as you said, no ISP, which has to follow rules and
regulations in the western world allows spoofing of or even
routing of the 127/8 net.


Yes, but 127/8 as the source or the destination ?

Even the OP didn't mentioned this.  I'm proned to believe those
packets have 127.0.0.1 as the source of the packets.


You're correct. I thought I'd sent this to the list last night but 
didn't watch the to: field carefully enough on my reply.

I don't know the mechanism but I think I know what you were 
seeing.  Here is an ethereal packet capture from the time.  We, too,  
were constantly seeing our ISP controlled perimeter router sending 
these packets to our internal equipment. The source MAC address here 
is the perimeter router (Cisco 1700) and the ISP was pretty much 
stumped over the cause.

Regards,  Mike Klinke

----------

Ethereal Frame 1 (60 on wire, 60 captured) 
Arrival Time: Aug 18, 2003 13:48:32.919516000 
Time delta from previous packet: 0.000000000 seconds 
Time relative to first packet: 0.000000000 seconds 
Frame Number: 1 
Packet Length: 60 bytes 
Capture Length: 60 bytes 
Ethernet II 
Destination: 00:01:02:ee:21:95 (00:01:02:ee:21:95) 
Source: 00:06:d7:ee:3a:89 (00:06:d7:ee:3a:89) 
Type: IP (0x0800) 
Trailer: 000000000000 
Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), 
  Dst Addr: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 
Version: 4 
Header length: 20 bytes 
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 
0000 00.. = Differentiated Services Codepoint: Default (0x00) 
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0 
Total Length: 40 
Identification: 0x252b 
Flags: 0x00 
.0.. = Don't fragment: Not set
..0. = More fragments: Not set 
Fragment offset: 0 
Time to live: 121 
Protocol: TCP (0x06) 
Header checksum: 0x44e2 (correct) 
Source: 127.0.0.1 (127.0.0.1) 
Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 
Transmission Control Protocol, 
  Src Port: 80 (80), Dst Port: 1319 (1319), 
  Seq: 0, Ack: 986251265, Len: 0 
Source port: 80 (80) 
Destination port: 1319 (1319) 
Sequence number: 0 
Acknowledgement number: 986251265 
Header length: 20 bytes 
Flags: 0x0014 (RST, ACK) 
0... .... = Congestion Window Reduced (CWR): Not set 
.0.. .... = ECN-Echo: Not set 
..0. .... = Urgent: Not set 
...1 .... = Acknowledgment: Set 
.... 0... = Push: Not set 
.... .1.. = Reset: Set 
.... ..0. = Syn: Not set 
.... ...0 = Fin: Not set 
Window size: 0 
Checksum: 0x97cc (correct)
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] DoS in MiniShare 1.3.2, Donato Ferrante
Next by Date:  [Full-Disclosure] Re: Cisco's stolen code, Eric Scher
Previous by Thread:  Re: [Full-Disclosure] Odd packet?, Steffen Schumacher
Next by Thread:  Re: [Full-Disclosure] Odd packet?, Valentino Squilloni - Ouz
Indexes:  [Date] [Thread] [Top] [All Lists]