Printable View
The intruder is fully blocked .the packet filter is on,no activity.some how he keep the packets in there ,he can manipulate there byte sizes,he can trigger them .what is it how do i counter it?loopback packets>living packets?he is doing the "bootp"thing and all help meee,the attachment is a smaple of what im getting
Ummm.
Slow down, and you're going to need to explain your situation a little better.
Who is the intruder?
What packet filter is on?
How is your network configured?
What is "he" doing to the packets?
Living packets= TTL?
what do you mean who is the intruder,do you want the mac address?lets just concentrate on the packet capture :its like hes built a "living stream he forces bytes through the packets its like its at his whim lets go from here?plz
I DO BELIEVE IT IS TTL PACKETS YES!!(its like the packets are trapped in loop he can manipulate there byte sizes and trigeer them to)
screwedn2,
You have posted like 8 times and i`ve read all and can`t understand any.
If you carefully word your questions you will prolly get better answers.
Mike
Sorry, I didn't see the packet capture when I started my post...
I'm looking at the capture right now. I'll get back to you in a little while. :)
I'm still working on it... I may not be finished for a while, I have a screaming 2 year old on my leg right now...
i think it might be ddos ip spoffed with TTl i could give you more or vetter packet samples thankx much for the help
The pac.txt file only contains a single ACK packet originating from an adserver.
This is probably a response to some request you made.
I don't see anything hostile.
ok the packet sample sucked but i have been compromised ,so-far in "our latest session" i have captured 4,300,000 packets in about 1/2 an hour
4 million packets in half an hour could be normal traffic. It all depends on the kind of connection you have and if you were actually using the Internetlink (downloading, browsing, P2P etc) while you were capturing.
The best way of finding something fishy is to stop using the Internetuplink (cutting out your "regular" traffic) and then turn on your sniffer. If you see any traffic then you can start to analyze your capture. That way you don't have to wade through loads of normal traffic to find the packets that are the hostile ones.
What is your definition of fully blocked?
What packet fileter are you using... you mean a firewall of some sort right?
You say theirs no activity, but there obviously is activity...
Where is 'there'? (the place he keeps the packets in)
I guarantee he cannot manipulate the size of a byte. bytes are always the same size on the inet. :p
What do you mean by trigger it?
I do not see your attachment.
if the source and destination IP are not 127.0.0.1 I really don't think the word 'loopback' has anything to do with it. Unless something stupid is using the loopback interface anyways, which I really doubt.
TTL would have very little to do with anything.... At best it could be a misconfiguration in your border router to let packets in with a certain TTL. Even then, all your system would do would be to send an 'expired in transit' error. Not very lethal if you get my point... you probably don't do you?
bootp???? you don't have a bootp server on your network or something do you? nothing else on your network thinks your box is a bootp server do they? is the bootp port showing up in your logs and your frickin out?
=====----------==========------------========
We really do need more information. I don't see any attachment of a capture. You may want to filter for the ones your worried about as has been suggested. I for one, have no desire to look at 4 million or whatever packets. At this point, I along with others don't think theirs anything malicious going on. But we need to see a good capture and we could tell you in just a few minutes. Did you remove the capture? cause I really just don't see it.
- good day
Jon.
The attachment was one captured ACK packet.
haha, ooh, scary... course I didn't see it, so I shouldn't say anything.