TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Regarding SYNFlood reporting of spoofed IP addresses:
It is common to spoof the source address of synfloods; Especially
with the wide variety of hacker tools that will do this for you that
are easily obtainable.
RS uses 0.0.0.0 as a catch-all placeholder for all SYNFlood events to
decrease the performance load on both the network sensor and the RS
management console which would be using all the different spoofed
source addresses to provide some uniqueness in hashing RealSecure
SYNFlood events configurable response and display. Using 0.0.0.0
allows this to hash to a single address where it will be next to
impossible to track the true source of the attack.
I would agree that this is somewhat confusing as to what is going on,
and why. I will log this as an issue to at the very least provide
clearer information in a future release, and that our performance
enhancement has made it difficult to respond to because information
is being obfuscated.
Pat Becker,
Sr. Researcher/X-Force
[EMAIL PROTECTED]
- -----Original Message-----
From: Jason Axley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 05, 2000 3:31 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: SYNFLOOD
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
- ----------------------------------------------------------------------
- ------
My understanding of this is that, because a real synflood will most
likely
originate from a spoofed source address, RealSecure does not trust
the
source in a supposed "SYNFLOOD" attack and substitutes the illegal
address
0.0.0.0 for the actual source address the packets came from and then
saves
the original source address in the information field, claiming it was
spoofed. My experience with this is that with the default
thresholds, it
catches mostly legitimate traffic (false positives).
The problem with RealSecure substituting 0.0.0.0 for the real source
address, is that you can no longer implement filters to catch
frequent
false positive offenders since everyone is lumped into the single
0.0.0.0
source.
- -Jason
On Mon, 3 Jul 2000 [EMAIL PROTECTED] wrote:
> Date: Mon Jul 03 12:43:34 2000
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
> Subject: Re: SYNFLOOD
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
> message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for
> help with any problems!
> --------------------------------------------------------------------
> --------
>
> I have received the same response, and I find it very frustrating
> since I have contacted ISS on what the spoofedsrc field is actually
> trying to tell me. I got a spoofed src of 0.0.0.0 but the
> information field pointed to my firewall address. when i contacted
> ISS about this they said that the spoofedsrc field is a guess as to
> who could be causing this synflood. Anyone out there, please
> clarify what the purpose of this spoofed src field really is???
>
> mark
>
>
>
- --
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQCVAwUBOWWkZ7C0aGNAqc2xAQH54gP/eGwxPsu+7JT8GLUQZmFtm1R30MW2V+Dy
/O+zgAUcrZlLfsYRv5DZHy9gJ6Fd5rcQWQG0/OGbuBvsiFseCL5JCL8SRq2Uk78L
0esffzUZdnGM/DPsIV5YJhYqMSLUg3nd43KIKbdgu/LeBT2ZHuFTMxbvjdmLlRj5
YSyUAb36jIQ=
=6wfE
-----END PGP SIGNATURE-----
