|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: TCP-ACK vulnerability (was RE: SSH on the router)
Private addressing/non routing of the netblock is only of limited use. I assume here the block is in the IGP.. the more customers/networks you serve the more chance of an attack coming from within. Steve On Thu, 10 Jun 2004, Alexei Roudnev wrote: > > Do you have any (even minimal) need to allocate globally routable IP to the > VLAN1 interface? > > Other thing is that, even if I can find your switch, I will not have any > minimal idea, that it is _your_ switch and any minimal need to break it. You > can (easily) allocated all switch and router loopback IP in private network > many years ago, and filtered out this network on all inbound interfaces. > > Even if I (if been a hacker) scan your networks and find this switch (and > you did not moved it out of routable P), > I will have not any idea, what is it about, where this switch is, and have > not any reason to break it... > > > > > ----- Original Message ----- > From: "Sean Donelan" <[email protected]> > To: <[email protected]> > Sent: Thursday, June 10, 2004 4:19 AM > Subject: Re: TCP-ACK vulnerability (was RE: SSH on the router) > > > > > > On Wed, 9 Jun 2004, Alexei Roudnev wrote: > > > This is minor exploit - usually you set up VLAN1 interface with IP > addres, > > > which is filterd out from outside. Moreover, there is not any good way > to > > > find switch IP - it is transparent for user's devices. > > > > Yeah, port scanners are so rare on the Internet they'll never find your > > IP address. Its not as if the switches have an easy to detect banner > > signature, and everyone uses out-of-band management for all their network > > equipment. > > > >
|