Re: Strange traffic from ISP dns server
On Sun, 13 Jan 2002, Peter Jצnsson wrote:
[ Sorry that this message is marked as ISO-8859-8-i and not as ISO-8859-1]
> Ok..
>
> I pretty sure now that this is just snort reporting when the dns-server
> sends back the data from the lookup. The dns-server just happens to send
> it to some port that snort is looking for traffic on. But wont this make
> it very easy to hide your attempts to connect to a backdoor ( or
> something ), you spoof yourself as 10.0.0.1 and the person reading the
> logs will just ignore that since they know that it's just the dns-server?
The tricky part with spoofing packets is to get a reply to your packets.
It should be noted that commands could be given even without reply
packets, though.
Suppose someone from a host far away in the internet spoofs a packet to
you "from" 10.0.0.1 . Then your computer, should it choose to reply to
that packet, will reply by sending a packet to 10.0.0.1 (this is UDP, and
thus we're talking about single packets, and not connections, as in UDP).
This packet will probably be routed to the real 10.0.0.1 .
If the sender has control over one of the routers along the way, or
something similar, then he can pull such a trick. BTW: If the sender is
from outside of telia's network, it is probably difficult for him to slip
in packets to internal hosts at all. Theoretically it is impossible, but
there may cwertainly be holes in the masquerading that will allow this.
If Telia have the minimal brains, they drop all packets that spoof as
originating from 10.x.x.x in the entrance from the internet.
--
Tzafrir Cohen /"\
mailto:tzafrir@technion.ac.il \ / ASCII Ribbon Campaign
Taub 229, 972-4-829-3942, X Against HTML Mail
http://www.technion.ac.il/~tzafrir / \
Reply to: