«

Hi,
I saw a lot of attempts to login at an FTP-server with wrong user
accounts. I reported it for investigation to our security guy who
manages the firewall that protect the FTP-server. He told me that he
more investigation was meaningless because the IP-addresses where
spoofed. Has anyone an idee why a cracker would use a spoofed address
to try a login as to my knowledge he would never see the results?


--
If there were a sig here, would you read it?

More than likely, it was someone trying to get into a user account by merely
guessing passwords. A person could use a spoofed IP address in case they
were in a position where they could be in trouble, legally or otherwise. It
would make it harder to trace it back to that person. Not impossible by any
means, but harder.

If I were guessing, I would say it was someone trying to brute force the
passwords and or user accounts in order to gain access to the ftp server.


"Cater_Soke" <Cater_Soke_dit_mag-> wrote in message
news:...
> Hi,
> I saw a lot of attempts to login at an FTP-server with wrong user
> accounts. I reported it for investigation to our security guy who
> manages the firewall that protect the FTP-server. He told me that he
> more investigation was meaningless because the IP-addresses where
> spoofed. Has anyone an idee why a cracker would use a spoofed address
> to try a login as to my knowledge he would never see the results?
>
>
> --
> If there were a sig here, would you read it?

>More than likely, it was someone trying to get into a user account by merely
>guessing passwords. A person could use a spoofed IP address in case they
>were in a position where they could be in trouble, legally or otherwise.
Yes, but I wonder is: it possible to use a spoofed IP-address to login
to a FTP-server and see the results of the attempt ?


> It
>would make it harder to trace it back to that person. Not impossible by any
>means, but harder.
>
>If I were guessing, I would say it was someone trying to brute force the
>passwords and or user accounts in order to gain access to the ftp server.
yes, indeed
>
>
>"Cater_Soke" <Cater_Soke_dit_mag-> wrote in message
>news:.. .
>> Hi,
>> I saw a lot of attempts to login at an FTP-server with wrong user
>> accounts. I reported it for investigation to our security guy who
>> manages the firewall that protect the FTP-server. He told me that he
>> more investigation was meaningless because the IP-addresses where
>> spoofed. Has anyone an idee why a cracker would use a spoofed address
>> to try a login as to my knowledge he would never see the results?
>>
>>
>> --
>> If there were a sig here, would you read it?
>

--
If there were a sig here, would you read it?

>>More than likely, it was someone trying to get into a user account by merely

>>guessing passwords. A person could use a spoofed IP address in case they
>>were in a position where they could be in trouble, legally or otherwise.
>
> Yes, but I wonder is: it possible to use a spoofed IP-address to login
> to a FTP-server and see the results of the attempt ?

I think I understand what you are getting at. How would the attacker
receive the syn-ack to the initial syn if the source address was spoofed?

While it's --technically-- possible, it would be a very sophisticated
attack and one that I've never heard of anyone accomplishing against any
reasonably modern operating system.

Kevin Mitnick is famous for successfully performing just such an attack.
But that was when operating systems used more predictable sequence
numbers.

This might be an interesting read:
http://www.networkcommand.com/docs/ipspoof.txt
But it was written in 1996 so it doesn't really apply anymore.

I guess I would have to ask the firewall admin how he came to the
conclusion that the source address was spoofed.
>
>
>
>>It
>>would make it harder to trace it back to that person. Not impossible by any
>>means, but harder.
>>
>>If I were guessing, I would say it was someone trying to brute force the
>>passwords and or user accounts in order to gain access to the ftp server.
>
> yes, indeed

And, I would have to ask, why would someone sophisticated enough to
perform a tcp "man in the middle" attack try to brute force
usernames/passwords? If they have the resources to perform a tcp "man
in the middle" attack they can probably just sniff the
usernames/passwords of valid accounts that log in. You would have to be
able to sniff connections to the server in order to see the initial
sequence number and subsequently correctly guess the correct sequence
number to respond with to hijack the connection.

Given that ability, why even bother to use usernames/accounts? Just
wait until a valid user logs in and hijack their tcp session.

>
>>
>>"Cater_Soke" <Cater_Soke_dit_mag-> wrote in message
>>news:. ..
>>
>>>Hi,
>>>I saw a lot of attempts to login at an FTP-server with wrong user
>>>accounts. I reported it for investigation to our security guy who
>>>manages the firewall that protect the FTP-server. He told me that he
>>>more investigation was meaningless because the IP-addresses where
>>>spoofed. Has anyone an idee why a cracker would use a spoofed address
>>>to try a login as to my knowledge he would never see the results?

I think I agree with what you were trying to get at. I think the
firewall admin was just 'blowing smoke' to get you to go away.

With that said, I'm not sure you have a whole lot to worry about since
I'm guessing they never successfully logged in? It might not be worth
--much-- investigation if that's the case.

Make sure a 'valid' user didn't log in about the time you saw this
scanning. And, if one did, find out what they did.

If you post the accounts they they tried then maybe someone here can
link it back to some automated tool.

Mark
>>>
>>>
>>>--
>>>If there were a sig here, would you read it?
>>
>

In article <>, Cater_Soke wrote:

>I saw a lot of attempts to login at an FTP-server with wrong user
>accounts. I reported it for investigation to our security guy who
>manages the firewall that protect the FTP-server. He told me that he
>more investigation was meaningless because the IP-addresses where
>spoofed.

Your security guy is either incompetent, or isn't telling you the whole
story. A FTP connection runs under TCP/IP, which is a two way
connection. Computer A starts by sending a SYN packet to your server
that contains a 32 bit number. Your server then sends a SYN-ACK packet
back to computer A that contains that 32 bit number AND another 32 bit
number that should be random. It expects to receive an ACK in return
that contains that second random number, as well as the first number
added to the number of bits in this packet. These are called "sequence
numbers" and are used to keep track of the bits transmitted and received.
That 'ACK' packet is the first one that can contain data that is passed
up the stack to an application like the FTP server. Thus, the addresses
can not be easily spoofed.

>Has anyone an idee why a cracker would use a spoofed address
>to try a login as to my knowledge he would never see the results?

It's possible to guess what the response might be (the contents of
the SYN-ACK packet) if you are using a piece of sh1t operating
system. The better O/S put a truly random 32 bit number in the packet,
while others are quite predictable. Without knowing the O/S your FTP
server is running, it's hard to guess. As to why, this could be a
denial of service attack.

Old guy

>More than likely, it was someone trying to get into a user account by merely
>guessing passwords. A person could use a spoofed IP address in case they
>were in a position where they could be in trouble, legally or otherwise. It
>would make it harder to trace it back to that person. Not impossible by any
>means, but harder.
>
>If I were guessing, I would say it was someone trying to brute force the
>passwords and or user accounts in order to gain access to the ftp server.

OK - fake address so nothing gets back to him - how does he know if the
password was good, bad or indifferent?

That's for playing, better luck next time.

Old guy

On Thu, 21 Oct 2004 23:33:04 GMT, Cater_Soke
<Cater_Soke_dit_mag-> wrote:

>Yes, but I wonder is: it possible to use a spoofed IP-address to login
>to a FTP-server and see the results of the attempt ?
#######################
There was something called the bounce attack. As far as I know, it is
outdated and FTP servers don't support it anymore.
donnie.

thx a lot for you explanation


>This might be an interesting read:
>http://www.networkcommand.com/docs/ipspoof.txt
>But it was written in 1996 so it doesn't really apply anymore.
>
I also found this : http://www.spirit.com/Network/net0501.html

>I guess I would have to ask the firewall admin how he came to the
>conclusion that the source address was spoofed.
I will
>And, I would have to ask, why would someone sophisticated enough to
>perform a tcp "man in the middle" attack try to brute force
>usernames/passwords?
Good remark !
>If you post the accounts they they tried then maybe someone here can
>link it back to some automated tool.
Thx for the suggestion, but to much time passed now for an deeper
closer investigation.


luc


--
If there were a sig here, would you read it?

thx for your reply and detailed explanation.

>In article <>, Cater_Soke wrote:
>Your security guy is either incompetent, or isn't telling you the whole
>story.
I don't know why he told me so, but he did a good job protecting the
servers in the past. let just say he was a bit confused.



>
> Old guy

I'm 52 , and you ?

--
If there were a sig here, would you read it?

> Without knowing the O/S your FTP
>server is running, it's hard to guess.

w2k all security hotfixes installed.

--
If there were a sig here, would you read it?