Printable View
Well, it's not an attack against me, it's an attack againts the company, which is among the top financial advising companies of this region of the country, making them a good target.
But if it's not IP spoofing, why in the world would Verisign 1) scan my ports repeatedly and 2) send fraudulent M$ Certificates?
I would suggest that you might be being used in some kind of reflected attack on Verisign. That's why the address is Verisign's. If I sent you a SYN with the IP address of the source spoofed to Verisign's where do you think your SYN/ACK is going? Verisign of course. Couple this with the faked certificates, (part of Verisign's business is certificates), you might be in the middle of something a little larger.
Can you get an ethereal dump of the sequence of events in question. Then you can make a better determination of what might be going on.
I can give you a reason why get verisign: every one trust it. Why someone will think that verisign is attacking him?
If Verisign is (or was) under attack, everybody should notice too. Due to we just see one case, it appears more to ip spoof that a massive attack to verisign. An easier to do so.
But, just to follow your argument, why do you think that is a Ddos attack and verisign is owned?
/Edit
Ive read TS post and agree (in part) that may be a reflection attack. But what about fake certificates? Im not sure that someone can send fake ones thru reflection (they can?)
Thats why I'd like to see the Ethereal dump...... The portscan is probably only being reported on the strength of the SYN packets. I want to see if there is anything else of interest crossing the wire. Maybe someone thinks they can make an entire attack on something at Verisign by bouncing off Angelic.
Till we know what other traffic is passing by we are just "shooting in the dark".
The attack you described cacosapo, would mean that if Verisign was being used by someone else,they'd do it by two options:
1.Gain control over their server and use it to attack AngelicKnight's server
2.Subject Verisign to a massive Ddos and use ip spoofing to attack AngelicKnight's server
Both of the options seem remote to me,AngelicKnight,any luck contacting Verisign?
Here's a link,could it be this?http://www.dslreports.com/faq/7998
Ok, time to be n00bish, ethereal dumps are new on me, so how do I go about doing that?
*off I go to Google...*
Angelic:
In a nutshell
1. D/L and install WinPCap 3.01(?) (googleable)
2. D/L and install Ethereal latest version, (Googleable)
3. Unbind all protocols from the NIC
4. Install small _hub_ between border router and firewall
5. Connect NIC to hub
6. Start Ethereal
7. Start Ethereal packet capture.
8. where it asks for the filter type "host 64.94.110.12" without the quotes.
If you have more than one NIC in the box make sure you select the appropriate one - run a test with no filter first. if it captures traffic you are in. Stop the capture and repeat steps 7 and 8.
Then go to bed or whatever you do while waiting for this event to occur.
When you are sure you have captured the events do this:-
1. Stop the capture
2. File - print
3. Select "output file" and name the file c:\temp\ethereal.txt
4. Select "all packets"
5. Select "All dissections expanded"
6. Print
7. open c:\temp\ethereal.txt and find/replace the first three octets of your IP block
8. Save file
9. post it here
Ah crap, I don't have an extra hub to use for that. What else can I do?
Does sonicwall allow you to put a computer outside itself, Like a linksys DMZ? That would work....
A switch with port spanning would work.....
Outside that.... erm.... I dunno.... You need to see the traffic as it approaches the firewall to know what is really going on out there.
I dunno, I'll look into that Tig.
Ok, that was with our DSL line. Today, I found a possible IP spoof from 10.10.10.1 in the log, except it says this IP was from the LAN. How could this be?