From: Clone (c70n3@yahoo.co.in)
Date: Fri Jan 18 2008 - 13:26:55 EST
What if an attacker spoofs SQL Injection/XSS/CSRF
attack packets on port 80? I guess that should be easy
to spoof a whole lot of IP addresses with such a
payload.
--- Mike Gibson <micheal.gibson@gmail.com> wrote:
> Pentestr,
>
> Chances are the IPS is blocking your IP because of
> the malicious
> payload within the packets that Nessus is sending.
> Spoofing your IP
> for a TCP session to get to the point where the
> server believes you
> have an established connection so you can actually
> send a malicious
> payload from a spoofed IP is not that easy these
> days. If you are able
> to get the IPS to permanently block your IP based on
> other things like
> performing an NMAP scan from a spoofed IP for
> example then that would
> be something that would be easy to reproduce and
> something your client
> would definitely want to do something about.
>
> Do you know for sure that it is blocking you
> forever? Most clients I
> have come across block for a certain amount of time
> (as much as 24
> hours) but it isn't forever.
>
> If I was a network admin and my IPS was blocking an
> IP for 24 hours
> based on it detecting malicious content in a
> datagram during an
> established TCP session I wouldn't be too concerned
> about an attacker
> leveraging this to perform a DoS against legitimate
> users. I would be
> nervous about false positives but that is another
> story. :-)
>
> Mike Gibson
> Security Architect
> Third Brigade
>
> On Jan 8, 2008 9:36 AM, Maxime Ducharme
> <mducharme@cybergeneration.com> wrote:
> >
> > Hi
> >
> > i suggest iptables SNAT
> >
> > spoof every packets destined to their address
> >
> > something like
> > iptables -t nat -A POSTROUTING -o ethX --dst
> 4.3.2.1 -j SNAT --to-source
> > 1.2.3.4
> >
> > where 4.3.2.1 is their IP and 1.2.3.4 is the
> spoofed IP
> >
> > some info :
> >
>
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SNATTARGET
> >
> > hth
> >
> > Max
> >
> >
> > -----Message d'origine-----
> > De : listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] De
> > la part de pentestr
> > Envoyé : 3 janvier 2008 03:56
> > À : Pentest Mailinglist
> > Objet : IPS Testing
> >
> >
> > Hi,
> >
> > I am doing a PT for a customer and found that
> after running nessus
> > against the target our IP is getting blocked
> permanently. I want to show
> > this issue to the customer.
> > 1. Is there any specific tool that can generate
> nessus traffic by
> > spoofing IPs?
> > 2. Is there any tool that can change IP on the
> fly? While running nessus
> > that should change source IP?
> >
> > The server have only port 80 Open.
> >
> > Thank you.
> > Regards.
> > PenTestr.
> >
> >
>
------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution
> FREE today!
> >
> > http://www.cenzic.com/downloads
> >
>
------------------------------------------------------------------------
> >
> >
> >
> >
> >
>
------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution
> FREE today!
> >
> > http://www.cenzic.com/downloads
> >
>
------------------------------------------------------------------------
> >
> >
>
>
------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE
> today!
>
> http://www.cenzic.com/downloads
>
------------------------------------------------------------------------
>
>
Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT