Ethereal-users: RE: [Ethereal-users] Covert Channel Detected? (Quick Follow-Up)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Richard Binns <richard.binns@xxxxxxxxx>
Date: Fri, 5 Nov 2004 10:15:14 -0000
Hi
 
After having a look at this here are a few comments:
 
The transport layer is malformed, which is evidence of packet crafting in the network
The IP frame is fragmented, which could indicate a means of penetrating to systems for remote triggering of events
The frame sizes are in error hence the trailer
 
Suggestions:
I do not think this is a scanner, as it is not following, Syn/Fin/Xmas style structures and therefore no information is leaking from you systems back to the source.
I think this may be a means of controlling / triggering DDOS zombies that are infected on the net already
 
Actions:
I suggest Stateful inspection f traffic into you web server, simple TCP handshakes and state analysis will prevent fragments arriving and therefore remove this potential
If using windows (post 2k) close off the ports not required on the server, using the advanced networks settings.
With Cisco router before server, control the flow of ports both INTO and OUT from the server, using
Asymmetric ACL's ingress and outgresss + Reflexive ACL's to perform an open port when TCP states are matched correctly. Al least configure Lock & Key ACL's to provide a punch though to the server on designated ports which can close. I personally like the TCP established ACL, as this can provide all required HTTP / FTP connections.
Trawl through all apps / services / daemons running on server and verify that they are legitimate.
 
Hope this helps.
 
Rick
-----Original Message-----
From: Robinson, Eric [mailto:eric@xxxxxxxxx]
Sent: 05 November 2004 09:56
To: ethereal-users; rlug
Subject: [Ethereal-users] Covert Channel Detected? (Quick Follow-Up)

Okay, before anybody zaps me for saying "class C," I meant it is a C-sized CIDR block.

 

--

Eric Robinson

 


--
This message has been scanned for viruses and dangerous
content by the NorMAN MailScanner Service and is believed
to be clean.

The NorMAN MailScanner Service is operated by Information
Systems and Services, University of Newcastle upon Tyne.