Attempt at cgi mail exploit
Bill McGonigle
bill at bfccomputing.com
Wed Aug 31 23:36:00 EDT 2005
On Aug 31, 2005, at 21:54, Ted Roche wrote:
> My question: how likely is it that the IP address in my Apache logs is
> correct? I'd like to report the abuse to the ISP, but there is no
> point if it is spoofed.
TCP is hard to spoof because you have to complete the 3-way handshake
so the victim computer needs to know where to send the SYN-ACK packet.
If the source on the SYN packet is spoofed the connection never comes
up. With randomized sequence numbers, it's very hard to interpose
oneself into the conversation, especially if you're not on a shared
media subnet (unswitched 10-BaseT, e.g.).
In this case, it's unlikely that you're seeing a spoofed IP address.
For ICMP and UDP DoS attacks, you can almost guarantee they're spoofed.
(we thought everbody would be doing egress filtering by now)
whois 213.112.195.100 at whois.arin.net gives a valid abuse address.
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Mobile: 603.252.2606
http://www.bfccomputing.com/ Pager: 603.442.1833
Jabber: flowerpt at gmail.com Text: bill+text at bfccomputing.com
RSS: http://blog.bfccomputing.com/rss
More information about the gnhlug-discuss
mailing list