FTP sessions with spoofed IP-address

Discussion in 'Computer Security' started by Cater_Soke, Oct 21, 2004.

  1. Cater_Soke

    Cater_Soke Guest

    Hi,
    I saw a lot of attempts to login at an FTP-server with wrong user
    accounts. I reported it for investigation to our security guy who
    manages the firewall that protect the FTP-server. He told me that he
    more investigation was meaningless because the IP-addresses where
    spoofed. Has anyone an idee why a cracker would use a spoofed address
    to try a login as to my knowledge he would never see the results?


    --
    If there were a sig here, would you read it?
     
    Cater_Soke, Oct 21, 2004
    #1
    1. Advertising

  2. Cater_Soke

    WO Guest

    More than likely, it was someone trying to get into a user account by merely
    guessing passwords. A person could use a spoofed IP address in case they
    were in a position where they could be in trouble, legally or otherwise. It
    would make it harder to trace it back to that person. Not impossible by any
    means, but harder.

    If I were guessing, I would say it was someone trying to brute force the
    passwords and or user accounts in order to gain access to the ftp server.


    "Cater_Soke" <> wrote in message
    news:...
    > Hi,
    > I saw a lot of attempts to login at an FTP-server with wrong user
    > accounts. I reported it for investigation to our security guy who
    > manages the firewall that protect the FTP-server. He told me that he
    > more investigation was meaningless because the IP-addresses where
    > spoofed. Has anyone an idee why a cracker would use a spoofed address
    > to try a login as to my knowledge he would never see the results?
    >
    >
    > --
    > If there were a sig here, would you read it?
     
    WO, Oct 22, 2004
    #2
    1. Advertising

  3. Cater_Soke

    Cater_Soke Guest

    >More than likely, it was someone trying to get into a user account by merely
    >guessing passwords. A person could use a spoofed IP address in case they
    >were in a position where they could be in trouble, legally or otherwise.
    Yes, but I wonder is: it possible to use a spoofed IP-address to login
    to a FTP-server and see the results of the attempt ?


    > It
    >would make it harder to trace it back to that person. Not impossible by any
    >means, but harder.
    >
    >If I were guessing, I would say it was someone trying to brute force the
    >passwords and or user accounts in order to gain access to the ftp server.
    yes, indeed
    >
    >
    >"Cater_Soke" <> wrote in message
    >news:...
    >> Hi,
    >> I saw a lot of attempts to login at an FTP-server with wrong user
    >> accounts. I reported it for investigation to our security guy who
    >> manages the firewall that protect the FTP-server. He told me that he
    >> more investigation was meaningless because the IP-addresses where
    >> spoofed. Has anyone an idee why a cracker would use a spoofed address
    >> to try a login as to my knowledge he would never see the results?
    >>
    >>
    >> --
    >> If there were a sig here, would you read it?
    >


    --
    If there were a sig here, would you read it?
     
    Cater_Soke, Oct 22, 2004
    #3
  4. Cater_Soke

    Mark Guest

    >>More than likely, it was someone trying to get into a user account by merely

    >>guessing passwords. A person could use a spoofed IP address in case they
    >>were in a position where they could be in trouble, legally or otherwise.
    >
    > Yes, but I wonder is: it possible to use a spoofed IP-address to login
    > to a FTP-server and see the results of the attempt ?


    I think I understand what you are getting at. How would the attacker
    receive the syn-ack to the initial syn if the source address was spoofed?

    While it's --technically-- possible, it would be a very sophisticated
    attack and one that I've never heard of anyone accomplishing against any
    reasonably modern operating system.

    Kevin Mitnick is famous for successfully performing just such an attack.
    But that was when operating systems used more predictable sequence
    numbers.

    This might be an interesting read:
    http://www.networkcommand.com/docs/ipspoof.txt
    But it was written in 1996 so it doesn't really apply anymore.

    I guess I would have to ask the firewall admin how he came to the
    conclusion that the source address was spoofed.
    >
    >
    >
    >>It
    >>would make it harder to trace it back to that person. Not impossible by any
    >>means, but harder.
    >>
    >>If I were guessing, I would say it was someone trying to brute force the
    >>passwords and or user accounts in order to gain access to the ftp server.
    >
    > yes, indeed


    And, I would have to ask, why would someone sophisticated enough to
    perform a tcp "man in the middle" attack try to brute force
    usernames/passwords? If they have the resources to perform a tcp "man
    in the middle" attack they can probably just sniff the
    usernames/passwords of valid accounts that log in. You would have to be
    able to sniff connections to the server in order to see the initial
    sequence number and subsequently correctly guess the correct sequence
    number to respond with to hijack the connection.

    Given that ability, why even bother to use usernames/accounts? Just
    wait until a valid user logs in and hijack their tcp session.

    >
    >>
    >>"Cater_Soke" <> wrote in message
    >>news:...
    >>
    >>>Hi,
    >>>I saw a lot of attempts to login at an FTP-server with wrong user
    >>>accounts. I reported it for investigation to our security guy who
    >>>manages the firewall that protect the FTP-server. He told me that he
    >>>more investigation was meaningless because the IP-addresses where
    >>>spoofed. Has anyone an idee why a cracker would use a spoofed address
    >>>to try a login as to my knowledge he would never see the results?


    I think I agree with what you were trying to get at. I think the
    firewall admin was just 'blowing smoke' to get you to go away.

    With that said, I'm not sure you have a whole lot to worry about since
    I'm guessing they never successfully logged in? It might not be worth
    --much-- investigation if that's the case.

    Make sure a 'valid' user didn't log in about the time you saw this
    scanning. And, if one did, find out what they did.

    If you post the accounts they they tried then maybe someone here can
    link it back to some automated tool.

    Mark
    >>>
    >>>
    >>>--
    >>>If there were a sig here, would you read it?
    >>

    >
     
    Mark, Oct 22, 2004
    #4
  5. Cater_Soke

    Moe Trin Guest

    In article <>, Cater_Soke wrote:

    >I saw a lot of attempts to login at an FTP-server with wrong user
    >accounts. I reported it for investigation to our security guy who
    >manages the firewall that protect the FTP-server. He told me that he
    >more investigation was meaningless because the IP-addresses where
    >spoofed.


    Your security guy is either incompetent, or isn't telling you the whole
    story. A FTP connection runs under TCP/IP, which is a two way
    connection. Computer A starts by sending a SYN packet to your server
    that contains a 32 bit number. Your server then sends a SYN-ACK packet
    back to computer A that contains that 32 bit number AND another 32 bit
    number that should be random. It expects to receive an ACK in return
    that contains that second random number, as well as the first number
    added to the number of bits in this packet. These are called "sequence
    numbers" and are used to keep track of the bits transmitted and received.
    That 'ACK' packet is the first one that can contain data that is passed
    up the stack to an application like the FTP server. Thus, the addresses
    can not be easily spoofed.

    >Has anyone an idee why a cracker would use a spoofed address
    >to try a login as to my knowledge he would never see the results?


    It's possible to guess what the response might be (the contents of
    the SYN-ACK packet) if you are using a piece of sh1t operating
    system. The better O/S put a truly random 32 bit number in the packet,
    while others are quite predictable. Without knowing the O/S your FTP
    server is running, it's hard to guess. As to why, this could be a
    denial of service attack.

    Old guy
     
    Moe Trin, Oct 22, 2004
    #5
  6. Cater_Soke

    Moe Trin Guest

    >More than likely, it was someone trying to get into a user account by merely
    >guessing passwords. A person could use a spoofed IP address in case they
    >were in a position where they could be in trouble, legally or otherwise. It
    >would make it harder to trace it back to that person. Not impossible by any
    >means, but harder.
    >
    >If I were guessing, I would say it was someone trying to brute force the
    >passwords and or user accounts in order to gain access to the ftp server.

    OK - fake address so nothing gets back to him - how does he know if the
    password was good, bad or indifferent?

    That's for playing, better luck next time.

    Old guy
     
    Moe Trin, Oct 22, 2004
    #6
  7. Cater_Soke

    donnie Guest

    On Thu, 21 Oct 2004 23:33:04 GMT, Cater_Soke
    <> wrote:

    >Yes, but I wonder is: it possible to use a spoofed IP-address to login
    >to a FTP-server and see the results of the attempt ?

    #######################
    There was something called the bounce attack. As far as I know, it is
    outdated and FTP servers don't support it anymore.
    donnie.
     
    donnie, Oct 22, 2004
    #7
  8. Cater_Soke

    Cater_Soke Guest

    thx a lot for you explanation


    >This might be an interesting read:
    >http://www.networkcommand.com/docs/ipspoof.txt
    >But it was written in 1996 so it doesn't really apply anymore.
    >

    I also found this : http://www.spirit.com/Network/net0501.html

    >I guess I would have to ask the firewall admin how he came to the
    >conclusion that the source address was spoofed.

    I will
    >And, I would have to ask, why would someone sophisticated enough to
    >perform a tcp "man in the middle" attack try to brute force
    >usernames/passwords?

    Good remark !
    >If you post the accounts they they tried then maybe someone here can
    >link it back to some automated tool.

    Thx for the suggestion, but to much time passed now for an deeper
    closer investigation.


    luc


    --
    If there were a sig here, would you read it?
     
    Cater_Soke, Oct 25, 2004
    #8
  9. Cater_Soke

    Cater_Soke Guest

    thx for your reply and detailed explanation.

    >In article <>, Cater_Soke wrote:
    >Your security guy is either incompetent, or isn't telling you the whole
    >story.

    I don't know why he told me so, but he did a good job protecting the
    servers in the past. let just say he was a bit confused.



    >
    > Old guy


    I'm 52 , and you ? :)

    --
    If there were a sig here, would you read it?
     
    Cater_Soke, Oct 25, 2004
    #9
  10. Cater_Soke

    Cater_Soke Guest


    > Without knowing the O/S your FTP
    >server is running, it's hard to guess.


    w2k all security hotfixes installed.

    --
    If there were a sig here, would you read it?
     
    Cater_Soke, Oct 25, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Knight
    Replies:
    0
    Views:
    1,597
    Mark Knight
    Oct 13, 2005
  2. Frosty

    ftp://ftp.isc.org

    Frosty, Nov 22, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    1,095
  3. Mike Easter

    Why can't I access ftp://ftp.isc.org/ ?

    Mike Easter, Mar 14, 2007, in forum: Computer Support
    Replies:
    10
    Views:
    885
    Vanguard
    Mar 15, 2007
  4. Replies:
    1
    Views:
    494
    Lutz Donnerhacke
    Sep 13, 2007
  5. Andre Rodier

    IP spoofed packets and Cisco

    Andre Rodier, May 25, 2008, in forum: Cisco
    Replies:
    1
    Views:
    430
    meffisto
    May 26, 2008
Loading...

Share This Page