decoyed IPs

From: kahleong_fong <kahleong_fong(at)yahoo.com.sg>
Date: Wed Jul 09 2003 - 05:22:25 EDT

hi,
I am investigating a set of IPs NMAP_TCP_PING which appeared to be using some decoyed IPs. However they are all valid IPs. Most of them are from the same ISP and the only port that is opened is port 80 on their site.

I need to know how am I going to narrow down to which are the probable ones. Afew of these IPs belongs to ISP, however not listed in the dns, these I suspected to be proxy.

One thing I noted, I thought they used a filtering router to allow port 80 to come in, however it would appear they are using more than a filtering router. This filtering device appeared to be adaptive or reactive. It allowed you to connect to port 80 of these IPs, however dropped the connection after issued of "GET /". Then refused or reset the connection on second attempt onwards using the same src IP connected from. It somehow reset what it learned the next day and allow connection again, and refused connections after the first attempt.

I am not familiar with ISP perimeter setups. Anyone can give me an idea to what they are using?

Thanks in advance.
regards.

---

Do You Yahoo!?
Send free SMS from your PC!
http://sg.sms.yahoo.com

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Wed Jul 9 14:19:52 2003