Slashdot Mirror

← Back to Stories (view on slashdot.org)

Museum Of Broken Packets

Posted by ryuzaki0 on from the put-them-on-a-milk-carton dept.

hobbicik writes: "Quote from the page: 'The purpose of this museum is to provide a shelter for strange, unwanted, malformed packets - abandoned and doomed freaks of nature - as we, mere mortals, meet them on twisted paths of our grand journey called life.'" Interesting and amusing idea. Most of the wasted packets I get are IIS worm attempts -- not nearly as interesting.

5 of 127 comments (clear)

  1. Causes of mal-formed packets by sstammer · · Score: 5, Informative
    For some causes of mal-formed packets, see this paper


    Tim

  2. Re:A paper on intrusion by Pussy+Is+Money · · Score: 2, Informative
    You're probably thinking about this paper. Abstract:
    In this paper, we seek to answer a simple question: "How prevalent are denial-of-service attacks in the Internet today?". Our motivation is to understand quantitatively the nature of the current threat as well as to enable longer-term analyses of trends and recurring patterns of attacks. We present a new technique, called "backscatter analysis", that provides an estimate of worldwide denial-of-service activity.
    --
    Pushin' 'n dealin', shovin' 'n stealin'
  3. Re:Paranoid? Or are they really out to get us? by monkeydo · · Score: 2, Informative

    This isn't hard to foil at all. The "attacker" (hotmail in this case) can already trace up to your firewall, but not beyond it. This allows them to get the _incoming_ packets passed the firewall because they are part of an established connection, but the _outgoing_ packets will not be, they will be ICMP packets. Just block the outgoing TTL Exceeded packets (and while you are at it all ICMP except maybe ECHO) at your firewall.
    It is as important to control what is leaving your network as what is coming in.

    --
    Si vis pacem, para bellum
    The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
  4. Re:Paranoid? Or are they really out to get us? by Cerebus · · Score: 3, Informative

    Y'all DO know about tcptraceroute, right?

    --
    -- Cerebus
  5. Re:Paranoid? Or are they really out to get us? by monkeydo · · Score: 5, Informative

    tcptraceroute works by sending syn packets with incremented TTL's to publicly available servers on port 80 (or other public port). This passes firewalls because they are configured to allow traffic to these servers (hence "publicly available")

    Again, this will not work if your firewall drops the outbound ICMP packets. In the case of tcptraceroute you will eventually get an ACK back from the server, so you will know how many hops it behind the firewall, but no other information.

    The hotmail trick is somewhat more insidious because it is used in the midst of a session the firewall will usually pass the traffic to a normally protected (even NAT'd) host.

    Both are easily blocked with outbound filters.

    --
    Si vis pacem, para bellum
    The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian