Re: Hijak detection
Darren Reed <avalon @
Fri, 14 Nov 1997 17:22:50 +1100 (EDT)
net (Frank Willoughby)
au, jkeimig @
net, doy @
com, adam @
org, brad @
org, circle @
com, morrow .
edu, frankw @
net, anarch @
org, firewalls @
net> from "Frank Willoughby" at Nov 12, 97 08:22:23 am
In some mail from Frank Willoughby, sie said:
> At 05:01 PM 11/12/97 +1100, Darren Reed wrote:
> >In some mail from Jason Keimig, sie said:
> >> So, in a nutshell, LOOKING at the layer-2 information will turn up 90% of
> >> the offending hosts performing ANY kind of spoofing attack.
> >Only if you're on the same LAN. All routers will replace the source MAC
> >address with their own when routing.
> Hackers can also burn their own PROMS, if they need to. At this point,
> even Layer-2 info will be seen as valid on the same LAN (particularly
> after a Denial-of-Service attack).
So what's this got to do with IP spoofing ? And if I can burn my own
PROMS and put them in the router (unless you meant EEPROM), why would
I even bother with IP spoofing ?
The original posting by Jason mentioned that in most packet spoofing
hackers didn't properly forge the ethernet header (which they can do)
then it is obvious that the packets are spoofs. Spoofing the source
ethernet address (for example) is much easier than bruning PROMs.
He went on to say that looking for these bad source layer-2 addresses
is a good indication of spoofing. My point was that after hopping
through several routers, etc, you lose the layer-2 info anyway, so
looking at it in an attempt to determine which packets are spoofs is
rather pointless - UNLESS the spoofing is taking place on the _same_