Results tagged “firewall” from Just Another Hacker

Multipacket three way handshake

|
Tod Beardsly over at breakingpoint labs has identified a rarely recognized section of RFC 793  that allows you to deviate from the normal three way handshake. Rather than doing
A ----syn-----> B
A <---synack--- B
A ----ack-----> B

Which is the "normal" way of doing the three way handshake you can instead do:
A ----syn-----> B
A <---syn------ B
A ----synack--> B
A <---ack------ B
The change in direction could allow you to bypass stateful firewalls, bypass intrusion detection or prevention devices and perhaps change the synflood or spoofing landscape. He has successfully tested this against the major OS's.

Read the full post, containing packet captures and more at http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie
I've always had to deal with it, and I don't find MT's spam modules to very helpful in easing the pain of managing trackback spam. So I thought it might just be worth blocking some IPs. I did a little grep and without any further ado I present the numbers taken from 6 months worth of apache logs;

root@localhost# zgrep tb.cgi access.log* | awk '{print $1}' | sort | uniq -c | sort -n -r |head -25
   3390 74.86.238.186
    471 206.51.226.198
    451 208.53.130.221
    435 64.34.172.35
    329 66.96.208.53
    318 67.159.44.159
    299 65.60.37.195
    257 76.73.1.50
    248 208.85.242.212
    188 208.53.137.178
    169 72.167.36.70
    161 208.43.255.125
    148 212.227.114.150
    140 65.18.193.119
    139 74.63.64.94
    138 69.65.58.166
    137 66.197.167.120
    136 208.109.171.65
    129 74.86.60.98
    128 66.45.240.66
    120 64.59.71.191
    113 67.159.44.63
     99 64.202.163.76
     98 85.17.145.7
     93 64.191.50.30


Sometimes I wish I could easily group by CIDR on the CLI

Blocking another spammer

|
Most of the comment spam I receive on this blog was coming from within two IP ranges, both belonging to;
aut-num: AS44557
as-name: DRAGONARA
descr: Dragonara Alliance Ltd
import: from AS13030 action pref=100; accept ANY
export: to AS13030 announce AS44557
admin-c: AGAV2-RIPE
tech-c: AGAV2-RIPE
notify: tech@dragonara.net
mnt-by: DRAGONARA-MNT
mnt-routes: DRAGONARA-MNT
changed: hostmaster@ripe.net 20080205
source: RIPE

I have blocked them in my firewall and would recommend you do the same.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.