Attempt at cgi mail exploit

Bill McGonigle bill at bfccomputing.com
Wed Aug 31 23:36:00 EDT 2005


On Aug 31, 2005, at 21:54, Ted Roche wrote:

> My question: how likely is it that the IP address in my Apache logs is 
> correct? I'd like to report the abuse to the ISP, but there is no 
> point if it is spoofed.

TCP is hard to spoof because you have to complete the 3-way handshake 
so the victim computer needs to know where to send the SYN-ACK packet.  
If the source on the SYN packet is spoofed the connection never comes 
up.  With randomized sequence numbers, it's very hard to interpose 
oneself into the conversation, especially if you're not on a shared 
media subnet (unswitched 10-BaseT, e.g.).

In this case, it's unlikely that you're seeing a spoofed IP address.  
For ICMP and UDP DoS attacks, you can almost guarantee they're spoofed. 
(we thought everbody would be doing egress filtering by now)

whois 213.112.195.100 at whois.arin.net gives a valid abuse address.

-Bill

-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Mobile: 603.252.2606
http://www.bfccomputing.com/    Pager: 603.442.1833
Jabber: flowerpt at gmail.com      Text: bill+text at bfccomputing.com
RSS: http://blog.bfccomputing.com/rss




More information about the gnhlug-discuss mailing list