[71240] in North American Network Operators' Group
Re: TCP-ACK vulnerability (was RE: SSH on the router)
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Fri Jun 11 13:09:15 2004
Date: Fri, 11 Jun 2004 18:06:20 +0100 (BST)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Alexei Roudnev <alex@relcom.net>
Cc: Sean Donelan <sean@donelan.com>, <nanog@merit.edu>
In-Reply-To: <002001c44f71$903779b0$6401a8c0@alexh>
Errors-To: owner-nanog-outgoing@merit.edu
Private addressing/non routing of the netblock is only of limited use.
I assume here the block is in the IGP.. the more customers/networks you serve
the more chance of an attack coming from within.
Steve
On Thu, 10 Jun 2004, Alexei Roudnev wrote:
>
> Do you have any (even minimal) need to allocate globally routable IP to the
> VLAN1 interface?
>
> Other thing is that, even if I can find your switch, I will not have any
> minimal idea, that it is _your_ switch and any minimal need to break it. You
> can (easily) allocated all switch and router loopback IP in private network
> many years ago, and filtered out this network on all inbound interfaces.
>
> Even if I (if been a hacker) scan your networks and find this switch (and
> you did not moved it out of routable P),
> I will have not any idea, what is it about, where this switch is, and have
> not any reason to break it...
>
>
>
>
> ----- Original Message -----
> From: "Sean Donelan" <sean@donelan.com>
> To: <nanog@merit.edu>
> Sent: Thursday, June 10, 2004 4:19 AM
> Subject: Re: TCP-ACK vulnerability (was RE: SSH on the router)
>
>
> >
> > On Wed, 9 Jun 2004, Alexei Roudnev wrote:
> > > This is minor exploit - usually you set up VLAN1 interface with IP
> addres,
> > > which is filterd out from outside. Moreover, there is not any good way
> to
> > > find switch IP - it is transparent for user's devices.
> >
> > Yeah, port scanners are so rare on the Internet they'll never find your
> > IP address. Its not as if the switches have an easy to detect banner
> > signature, and everyone uses out-of-band management for all their network
> > equipment.
> >
>
>
