Did I obfuscate my usenet newsreader & who I am in this posting?
Did I obfuscate my usenet newsreader & who I am in this posting?. Discuss Did I obfuscate my usenet newsreader & who I am in this posting?, on Wireless Forums.
Did I obfuscate my usenet newsreader & who I am in this posting?
Did I obfuscate my usenet newsreader and who I am in this posting?
I've read up on how to remain anonymouse on the internet and one way they
say is to obfuscate my usenet postings.
I wonder if you can help me to tell me if you can easily figure out what
newsreader, operating system or whatever else you can figure out from this
post.
I hope you can't figure out anything about me but that is why I am asking.
I will monitor this thread to see if anyone can figure out anything about
me and my newsreader, os, isp, whatever so that I can learn more.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
On Mon, 02 Jul 2007 05:38:19 GMT, Tamara <tamara_4198@hotmail.com>
wrote:
>Did I obfuscate my usenet newsreader and who I am in this posting?
>
>I've read up on how to remain anonymouse on the internet and one way they
>say is to obfuscate my usenet postings.
>
>I wonder if you can help me to tell me if you can easily figure out what
>newsreader, operating system or whatever else you can figure out from this
>post.
>
>I hope you can't figure out anything about me but that is why I am asking.
>I will monitor this thread to see if anyone can figure out anything about
>me and my newsreader, os, isp, whatever so that I can learn more.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
Tamara,
Below is the header of your post. About the only thing missing is the
newsreader and OS used, and I'm not sure that information would be useful
anyway (to protect your privacy in text postings, I've obliterated the
e-mail address in the header). Note that the Path, Posting Host, and X-trace
data are intact. The ARIN info for the posting host is below the header.
It is best to assume that there is no anonymity on the Internet. Once you
mung your e-mail address (as mine is in this post), and use a 'handle'
instead of your name (I don't bother), you've done about as much as most
non-malicious people need to do. Unless you run your own newsserver and pay
the considerable fee for newsfeeds, you can't control the data inserted by
the newsserver itself, and even then, the receiving newserver will insert
the Path info.
Do you perhaps attend SDSU? (that question is rhetorical)
Allan
Header:
Path:
bigbe1.bellsouth.net!bigfeed.bellsouth.net!bigfeed 2.bellsouth.net!news.bellsouth.net!hwmnpeer01.phx! news.highwinds-media.com!newsfeed.news2me.com!newshub.sdsu.edu!ne wscon04.news.prodigy.net!prodigy.net!newsdst01.new s.prodigy.net!prodigy.com!postmaster.news.prodigy. com!newssvr13.news.prodigy.net.POSTED!689056ff!not-for-mail
From: Tamara XXXXX@XXXXXX.XXXX
Subject: Did I obfuscate my usenet newsreader & who I am in this posting?
Newsgroups:
misc.news.internet.discuss,alt.internet.wireless,a lt.hackers.malicious
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Lines: 12
Message-ID: <fb0ii.924$eY.473@newssvr13.news.prodigy.net>
NNTP-Posting-Host: 69.110.4.48
X-Complaints-To: abuse@prodigy.net
X-Trace: newssvr13.news.prodigy.net 1183354699 ST000 69.110.4.48 (Mon, 02
Jul 2007 01:38:19 EDT)
NNTP-Posting-Date: Mon, 02 Jul 2007 01:38:19 EDT
Organization: SBC http://yahoo.sbc.com
X-UserInfo1:
SCSGWXCDAZUUSRD[N[O@_WH@YR_B@EXLLBWLOOAFBATBTSUBYFWEAE[YJLYPIWKHTFCMZKVMB^[Z^DOBRVVMOSPFHNSYXVDIE@X\BUC@GTSX@DL^GKFFHQCCE\G[JJBMYDYIJCZM@AY]GNGPJD]YNNW\GSX^GSCKHA[]@CCB\[@LATPD\L@J\\PF]VR[QPJN
Date: Mon, 02 Jul 2007 05:38:19 GMT
Xref: bigfeed.bellsouth.net misc.news.internet.discuss:450799
alt.internet.wireless:266349 alt.hackers.malicious:944480
ARIN data:
OrgName: AT&T Internet Services
OrgID: SIS-80
Address: 2701 N. Central Expwy # 2205.14
City: Richardson
StateProv: TX
PostalCode: 75080
Country: US
NetRange: 69.104.0.0 - 69.111.255.255
CIDR: 69.104.0.0/13
NetName: SBCIS-SIS80
NetHandle: NET-69-104-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PBI.NET
NameServer: NS2.PBI.NET
Comment: Contact IPAdmin-PBI@sbcis.sbc.com for general IP support.
Comment: Contact support@pacbell.net for technical support issues.
Comment: Contact abuse@pacbell.net for policy abuse issues.
RegDate: 2003-11-21
Updated: 2007-05-25
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
Ernie B. in a fit of rage spewed
> On Mon, 02 Jul 2007 09:09:03 -0700 Jeff Liebermann wrote:
>
>> old777salt@yahoo hath wroth:
>>
>> >On Mon, 02 Jul 2007 05:38:19 GMT, Tamara <tamara_4198@hotmail.com>
>> >wrote:
>> >
>> >>Did I obfuscate my usenet newsreader and who I am in this posting?
>>
>> >NNTP-Posting-Host: 69.110.4.48
>> >In short, no.
>>
>> <http://www.geobytes.com/IpLocator.htm>
>> shows San Jose, CA.
>>
>> RDNS at:
>> http://www.dnsstuff.com/tools/ptr.ch?ip=69.110.4.48
>> shows adsl-69-110-4-48.dsl.pltn13.pacbell.net.
>> Your DSL DSLAM is PLTN13 and is in Pleasanton.
>>
>> I'll resist the temptation to probe your IP address directly for
>> additional information.
>>
> Your IP address can be pinged, so you aren't using a router or effective
> firewall. A visit to <http://www.grc.com/default.htm>, especially the
> ShieldsUP! site might be educational.
Gibson is a joke waiting for a punchline.
--
Lits Slut #9
Life would be so much easier if we could just look at the source code.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
Ernie B. in a fit of rage spewed
> On Mon, 02 Jul 2007 16:38:16 GMT FrozenNorth wrote:
>
>> Gibson is a joke waiting for a punchline.
>>
> You can do better? What's the URL for your site?
nmap
--
Lits Slut #9
Life would be so much easier if we could just look at the source code.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
Ernie B. <ebaresch_REMOVE_@cox._THIS_net> hath wroth:
>Your IP address can be pinged, so you aren't using a router or effective
>firewall.
My routers can be pinged. However, all have "no ip redirects" to
prevent Smurf attacks. Responding to ICMP ping is not necessarily a
security risk or indication of cluelessness.
>A visit to <http://www.grc.com/default.htm>, especially the
>ShieldsUP! site might be educational.
Steve Gibson is a mixed bag of useful and useless information. Much
of what he says is quite interesting. His tools are also quite good.
However, much of his alarmist rantings and incorrect conclusions are
rubbish. He's such a good writer, that I often have trouble making
the distinction. Tread carefully.
<http://cable-dsl.home.att.net/netbios.htm#ShieldsUp>
<http://grcsucks.com> (to 2004).
<http://en.wikipedia.org/wiki/Steve_Gibson>
ShieldsUP is fine for looking for open ports. There are other online
firewall checkers and port scanners that will do the same thing. I
prefer to run my own (offline) test using NMAP.
<http://omicron.hackerwhacker.com/freetools.php>
The problem I have with GRC is his analysis of the collected
information and what he considers a vulnerability. Using his
criteria, all open ports are evil, dangerous, and a security risk.
That's not the case as it really depends what is running on the open
port.
The orginal had nothing to do with wireless, and nothing to do with
security. It has to do with whether "Tamara?" can be identified.
However, topic drift is always fun.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
hmfic in a fit of rage spewed
> Ernie B. wrote:
>
>> Your IP address can be pinged, so you aren't using a router or
>> effective firewall.
>
> You trying to say you can't accept a ping if you use a router or a
> firewall?
Ernie isn't too bright.
--
Lits Slut #9
Life would be so much easier if we could just look at the source code.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
Ernie B. in a fit of rage spewed
> On Mon, 2 Jul 2007 17:31:30 +0000 (UTC) hmfic wrote:
>
>> Ernie B. wrote:
>>
>> > Your IP address can be pinged, so you aren't using a router or
>> > effective firewall.
>>
>> You trying to say you can't accept a ping if you use a router or a
>> firewall?
>>
> Nope. I'm saying that a router, if it's doing its job, or an effective
> firewall will reject pings. Try pinging my IP address and see what
> happens.
Ernie, you clueless idiot, your IP isn't in your headers, how the fsck is
someone going to ping it.
BTW, I reject pings too, but at least I know when I post that my IP is
blocked too.
--
Lits Slut #9
Life would be so much easier if we could just look at the source code.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
Jeff Liebermann wrote:
>
> Steve Gibson is a mixed bag of useful and useless information. Much
> of what he says is quite interesting. His tools are also quite good.
> However, much of his alarmist rantings and incorrect conclusions are
> rubbish. He's such a good writer, that I often have trouble making
> the distinction. Tread carefully.
> <http://cable-dsl.home.att.net/netbios.htm#ShieldsUp>
> <http://grcsucks.com> (to 2004).
> <http://en.wikipedia.org/wiki/Steve_Gibson>
>
> ShieldsUP is fine for looking for open ports. There are other online
> firewall checkers and port scanners that will do the same thing. I
> prefer to run my own (offline) test using NMAP.
> <http://omicron.hackerwhacker.com/freetools.php>
I've used Gibson's tools before, but I'm not familiar with Omicron. Can
the *average* user handle those tools [i.e. won't do more harm than
good trying them]?
bj
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
chicagofan <me7@privacy.net> hath wroth:
>Jeff Liebermann wrote:
>>
>> Steve Gibson is a mixed bag of useful and useless information. Much
>> of what he says is quite interesting. His tools are also quite good.
>> However, much of his alarmist rantings and incorrect conclusions are
>> rubbish. He's such a good writer, that I often have trouble making
>> the distinction. Tread carefully.
>> <http://cable-dsl.home.att.net/netbios.htm#ShieldsUp>
>> <http://grcsucks.com> (to 2004).
>> <http://en.wikipedia.org/wiki/Steve_Gibson>
>>
>> ShieldsUP is fine for looking for open ports. There are other online
>> firewall checkers and port scanners that will do the same thing. I
>> prefer to run my own (offline) test using NMAP.
>> <http://omicron.hackerwhacker.com/freetools.php>
>I've used Gibson's tools before, but I'm not familiar with Omicron. Can
> the *average* user handle those tools [i.e. won't do more harm than
>good trying them]?
>bj
Huh? It's a simple menu driven web page. Click here to test your
security. I think even a below average user can handle that. Same
with Shields UP and other port scanners. They're easy to use. Hmmm...
the one on DSLReports.com is offline. There are also commerical "test
your security" services.
The problem is in interpreting the results. Most scanners will find
holes in the firewall installed by UPnP. Is that safe or a problem?
Well, that depends on your level of paranoia. Same with open ports on
8080 for remote admin or various ports for remote control. *YOU*
determine if it's safe or not. If in doubt, there are security
mailing lists and newsgroups that can help. Think of it like the
diagnostic scanner for your automobile. It gives you a number that
tells you what it finds. What you do with the number is your problem.
None of the scanners make any changes to your router, so I think it's
fairly safe to run them. My big worry is if the site run by some
hacker that later comes back and uses the reports to attack the
scanned systems.
Incidentally, try running:
<http://www.pcflank.com/exploits.htm>
on your router. I've seen a few routers that hang on some of the
tests.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
Jeff Liebermann wrote:
> chicagofan <me7@privacy.net> hath wroth:
>> I've used Gibson's tools before, but I'm not familiar with Omicron. Can
>> the *average* user handle those tools [i.e. won't do more harm than
>> good trying them]?
>> bj
>
> Huh? It's a simple menu driven web page. Click here to test your
> security. I think even a below average user can handle that. Same
> with Shields UP and other port scanners. They're easy to use. Hmmm...
> the one on DSLReports.com is offline. There are also commerical "test
> your security" services.
>
> The problem is in interpreting the results. Most scanners will find
> holes in the firewall installed by UPnP. Is that safe or a problem?
Thanks for reminding me, I meant to disable UPnP when I got this laptop.
> None of the scanners make any changes to your router, so I think it's
> fairly safe to run them. My big worry is if the site run by some
> hacker that later comes back and uses the reports to attack the
> scanned systems.
That's why I was looking for what sites the regulars here use. :)
> Incidentally, try running:
> <http://www.pcflank.com/exploits.htm>
> on your router. I've seen a few routers that hang on some of the
> tests.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
hmfic,
Virtually all firewalls and routers allow you to specify the action taken on
a WAN-side ping.
That said, I've also never seen one that didn't default to either 'ignore'
or 'discard'.
Allan
--
One asks, many answer, all learn - Plato, on the 'Forum
--
True civility is when every one gives to every other one every right
that they claim for themselves.
"hmfic" <hmfic@donotreply.com> wrote in message
news:f6bcpi$tmj$2@news.albasani.net...
> Ernie B. wrote:
>
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
Ernie,
> ...but haven't found her name
Just haven't posted it, and wont. ;_)
Allan
--
One asks, many answer, all learn - Plato, on the 'Forum
--
True civility is when every one gives to every other one every right
that they claim for themselves.
"Ernie B." <ebaresch_REMOVE_@cox._THIS_net> wrote in message
news:MPG.20f304e825dbf06b98b22f@127.0.0.1...
> On Mon, 02 Jul 2007 10:31:46 -0700 Jeff Liebermann wrote:
>
>> Ernie B. <ebaresch_REMOVE_@cox._THIS_net> hath wroth:
>>
>> >Your IP address can be pinged, so you aren't using a router or effective
>> >firewall.
>>
>> My routers can be pinged. However, all have "no ip redirects" to
>> prevent Smurf attacks. Responding to ICMP ping is not necessarily a
>> security risk or indication of cluelessness.
>>
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
Ernie B. <ebaresch_REMOVE_@cox._THIS_net> hath wroth:
>> <http://omicron.hackerwhacker.com/freetools.php>
>>
>I tried that site. It ran a scan but didn't show any results past "Scan
>Finished", just an icon for a broken connection.
It's not working today for some reason. It's certainly doing a port
scan on my router as indicated by my monitoring software. However,
the final report is essentially blank, as you discovered. My router
has so many open ports that it should have found at least one.
Here's some recommended and not so recommended security checkers:
<http://cable-dsl.home.att.net/#CheckSecurity>
I still prefer NMAP.
>> The orginal had nothing to do with wireless, and nothing to do with
>> security. It has to do with whether "Tamara?" can be identified.
>> However, topic drift is always fun.
>>
>Well, we've located her in Southern California but haven't found her name,
>SSN, etc. <g>
RDNS shows she's in San Jose CA and connected to PBI/SBC/at&t DSL via
the SBC router in Pleasanton.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
In alt.internet.wireless Jeff Liebermann <jeffl@cruzio.com> wrote:
> My routers can be pinged. However, all have "no ip redirects" to
> prevent Smurf attacks. Responding to ICMP ping is not necessarily a
> security risk or indication of cluelessness.
My router (and I hadn't noticed until someone else posted the problem here)
misunderstands the setting for anti-smurf and blocks hosts with addresses
ending in .0. I think it was a yahoo or hotmail site that was the example
given, but I found a few. At the time, I thought SMURF attacks were either
considered ineffective, or just not used any more.
I allow ping responses. I have one server on my network returning the ping
instead of the router, because returning ping from the router confuses some
people when that server is down, since "it" appears to be responding to
ping.
I see that Jeff goes out of his way to obfuscate his identity ;-)
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
In alt.internet.wireless Tamara <tamara_4198@hotmail.com> wrote:
> Did I obfuscate my usenet newsreader and who I am in this posting?
Hard to say. Who are you? If you are not Tamara, don't have a hotmail
address, and don't live in San Jose, CA, then you might have done a pretty
good job.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
>In alt.internet.wireless Jeff Liebermann <jeffl@cruzio.com> wrote:
>> My routers can be pinged. However, all have "no ip redirects" to
>> prevent Smurf attacks. Responding to ICMP ping is not necessarily a
>> security risk or indication of cluelessness.
>My router (and I hadn't noticed until someone else posted the problem here)
>misunderstands the setting for anti-smurf and blocks hosts with addresses
>ending in .0. I think it was a yahoo or hotmail site that was the example
>given, but I found a few. At the time, I thought SMURF attacks were either
>considered ineffective, or just not used any more.
I guess SMURF is still being used for DoS (denial of service) attacks.
However, most new routers default to not allowing redirected ICMP
packets, so it's probably ineffective.
I've had far too many arguements on whether IP's ending in .0 are
valid. Methinks they're NOT valid. For example, Windoze instantly
returns:
C:\>ping 192.168.1.0
Pinging 192.168.1.0 with 32 bytes of data:
Destination specified is invalid.
Destination specified is invalid.
Destination specified is invalid.
Destination specified is invalid.
My Unix box returns pings and dupes from most every device it sees in
the ARP table.
=> ping 192.168.111.0 PING 192.168.111.0 (192.168.111.0): 56 data
bytes 64 bytes from comix (192.168.111.1): icmp_seq=0 ttl=255
time=10 ms 64 bytes from router (192.168.111.33): icmp_seq=0 ttl=64
time=120 ms
(DUP!)
Such weird results would imply that ending in .0 is NOT a valid IP
address. That doesn't seem to stop some systems from using it. I've
notice that I can never really ping such server directly. It usually
shows up in a traceroute list, where I think it was intended to screw
up any attempts to probe the inside LAN or routeing. Dunno.
>I allow ping responses. I have one server on my network returning the ping
>instead of the router, because returning ping from the router confuses some
>people when that server is down, since "it" appears to be responding to
>ping.
Good idea. I usually just care if the router is accessible.
>I see that Jeff goes out of his way to obfuscate his identity ;-)
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
"Jeff Liebermann" <jeffl@cruzio.com> wrote in message
news:vp1a9315emnqh6hstpqe3vti6h1f7b5v5d@4ax.com...
> dold@63.usenet.us.com hath wroth:
>
>>In alt.internet.wireless Jeff Liebermann <jeffl@cruzio.com> wrote:
>>> My routers can be pinged. However, all have "no ip redirects" to
>>> prevent Smurf attacks. Responding to ICMP ping is not necessarily a
>>> security risk or indication of cluelessness.
>
>>My router (and I hadn't noticed until someone else posted the problem
>>here)
>>misunderstands the setting for anti-smurf and blocks hosts with addresses
>>ending in .0. I think it was a yahoo or hotmail site that was the example
>>given, but I found a few. At the time, I thought SMURF attacks were
>>either
>>considered ineffective, or just not used any more.
>
> I guess SMURF is still being used for DoS (denial of service) attacks.
> However, most new routers default to not allowing redirected ICMP
> packets, so it's probably ineffective.
* Isn't Smurf a Directed Broadcast attack? I remember living through them at
an ISP and watching large ethernet switches with their lights litterally
throbbing. I think the setting for that is "no ip directed broadcast". There
are other recommended anti-DOS settings. Search for no ip directed broadcast
and smurf and some pop up on google.com.
>
> I've had far too many arguements on whether IP's ending in .0 are
> valid. Methinks they're NOT valid. For example, Windoze instantly
> returns:
> C:\>ping 192.168.1.0
> Pinging 192.168.1.0 with 32 bytes of data:
> Destination specified is invalid.
> Destination specified is invalid.
> Destination specified is invalid.
> Destination specified is invalid.
* Windows does that because you are on a /24 in 192.168.1.0, however if you
were on a /23 on 192.168.0.0 that ping would work just fine. In fact so
would file sharing and everything else. I just labbed this in Vmware
Workstation with 2 XP pro ... works like a charm. XP #1 is 192.168.0.10 /23
and XP #2 is 192.168.1.0. I put them on a seperate Virtual Network to test
that because I didn't want to screw my actual network.
* If you had a /20 or such larger sized network you could very easily have
subnets bigger than the /24 "Class C" that most users think of. The only
reason not to use a .0 or a .255 these days is if it IS *THE* network or
subnet address TO YOU or TO YOUR ISP. If it doesn't need to be used as
either one of those, then it is FAIR GAME. This all depends on how your
network was assigned from your network provider, and how you have subnetted
it within your location. I worked for a cable ISP for a time and managed
such IP Space. I managed the equipment networks and the DHCP Servers for 2
cities. If my memory serves me right we assigned the whole space, for
example, in /21's, /22's, and /23's ... depending on how we arranged them.
Variable Length Subnet Mask and all that. I think end customers got .0
addresses assigned. Which was fine because to us it was not the network
address for a range, and the whole thing was ours from whoever we got it
from be it AT&T or ARIN. (I have read of some web sites not liking .0
addresses... I don't know how common or rare that is?)
>
> My Unix box returns pings and dupes from most every device it sees in
> the ARP table.
> => ping 192.168.111.0 PING 192.168.111.0 (192.168.111.0): 56 data
> bytes 64 bytes from comix (192.168.111.1): icmp_seq=0 ttl=255
> time=10 ms 64 bytes from router (192.168.111.33): icmp_seq=0 ttl=64
> time=120 ms
> (DUP!)
* Unix does this because you are on that /24. You are pinging the whole
network. Not all hosts will recognize that, but some will.
Here's an example on 192.168.0.0/24:
# ping 192.168.0.0
Do you want to ping broadcast? Then -b
>
> Such weird results would imply that ending in .0 is NOT a valid IP
* Nope... Just not valid on a /24.
> address. That doesn't seem to stop some systems from using it. I've
> notice that I can never really ping such server directly. It usually
> shows up in a traceroute list, where I think it was intended to screw
> up any attempts to probe the inside LAN or routeing. Dunno.
>
>>I allow ping responses. I have one server on my network returning the
>>ping
>>instead of the router, because returning ping from the router confuses
>>some
>>people when that server is down, since "it" appears to be responding to
>>ping.
>
> Good idea. I usually just care if the router is accessible.
>
>>I see that Jeff goes out of his way to obfuscate his identity ;-)
>
> It's called hiding in plain sight.
>
> --
> Jeff Liebermann jeffl@cruzio.com
Sorta. The source IP is forged so that the ICMP ping return goes to
the forged IP address instead of the originator.
<http://en.wikipedia.org/wiki/Smurf_attack>
<ftp://ftp.isi.edu/in-notes/rfc2267.txt>
<http://www.isi.edu/div7/ln/SMURF.policy.html>
>I remember living through them at
>an ISP and watching large ethernet switches with their lights litterally
>throbbing. I think the setting for that is "no ip directed broadcast". There
>are other recommended anti-DOS settings. Search for no ip directed broadcast
>and smurf and some pop up on google.com.
The Cisco IOS fixes for Smurf attacks are:
no ip directed-broadcast
no ip redirects
no ip unreachables
no ip proxy-arp (not sure about this one)
Actually, only the "no ip directed-broadcast" has any effect on Smurf
attacks, but the other prevent attacks using similar redirection
mechanisms (e.g. fraggle).
>> I've had far too many arguements on whether IP's ending in .0 are
>> valid. Methinks they're NOT valid. For example, Windoze instantly
>> returns:
>> C:\>ping 192.168.1.0
>> Pinging 192.168.1.0 with 32 bytes of data:
>> Destination specified is invalid.
>* Windows does that because you are on a /24 in 192.168.1.0, however if you
>were on a /23 on 192.168.0.0 that ping would work just fine. In fact so
>would file sharing and everything else. I just labbed this in Vmware
>Workstation with 2 XP pro ... works like a charm. XP #1 is 192.168.0.10 /23
>and XP #2 is 192.168.1.0. I put them on a seperate Virtual Network to test
>that because I didn't want to screw my actual network.
Hmmm... I've never tried .0 on a /23 network, but will do so at next
opportunity. I don't see how a /23 network makes any difference. The
active part of the address is all zero's in both /23 and /24.
>* If you had a /20 or such larger sized network you could very easily have
>subnets bigger than the /24 "Class C" that most users think of. The only
>reason not to use a .0 or a .255 these days is if it IS *THE* network or
>subnet address TO YOU or TO YOUR ISP. If it doesn't need to be used as
>either one of those, then it is FAIR GAME. This all depends on how your
>network was assigned from your network provider, and how you have subnetted
>it within your location. I worked for a cable ISP for a time and managed
>such IP Space. I managed the equipment networks and the DHCP Servers for 2
>cities. If my memory serves me right we assigned the whole space, for
>example, in /21's, /22's, and /23's ... depending on how we arranged them.
>Variable Length Subnet Mask and all that. I think end customers got .0
>addresses assigned. Which was fine because to us it was not the network
>address for a range, and the whole thing was ours from whoever we got it
>from be it AT&T or ARIN. (I have read of some web sites not liking .0
>addresses... I don't know how common or rare that is?)
Interesting. I didn't know that.
I know of 4 local ISP's that don't use .0 IP's as this is the network
IP address. .255 is the broadcast IP address. Locally, Comcast/at&t
uses /23 networks. I've never seen a .0 address on their networks,
but I wasn't looking for it. I'll check on what they're doing later.
># ping 192.168.0.0
>Do you want to ping broadcast? Then -b
No -b option on vintage SCO Unix 3.2v4.2 or under Cygwin.
It's there under Linux.
>> Such weird results would imply that ending in .0 is NOT a valid IP
>
>* Nope... Just not valid on a /24.
Well, the majority of the cheap home routers preferred by
alt.internet.wireless users are limited to /24 networks mostly thanks
to limited ARP table memory space. The routers just can't handle
larger networks. I think it fair to say that .0 is not a valid IP for
such small routers. (Yeah, I know that assumptions are the mother of
all screwups).
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
"Jeff Liebermann" <jeffl@cruzio.com> wrote in message
news:pooo93tj6l60t37341d0ma4rnu7rucjlsi@4ax.com...
> "Alan Spicer" <aspicer@marinetelecom.net> hath wroth:
>
>>* Isn't Smurf a Directed Broadcast attack?
>
> Sorta. The source IP is forged so that the ICMP ping return goes to
> the forged IP address instead of the originator.
> <http://en.wikipedia.org/wiki/Smurf_attack>
> <ftp://ftp.isi.edu/in-notes/rfc2267.txt>
> <http://www.isi.edu/div7/ln/SMURF.policy.html>
* I think you're right. And by being directed broadcast I think it gets to
ping your inside network broadcast addresses so that every host so
configured to respond would respond... and that flood is sent back to an
attack victim which is not the sender. Many of these are done together to
really DoS the victim. I believe that most Internet routers block this at
the ISP/backbone level before it even gets to you. I wouldn't think that a
small home router would need to block that.
>
>>I remember living through them at
>>an ISP and watching large ethernet switches with their lights litterally
>>throbbing. I think the setting for that is "no ip directed broadcast".
>>There
>>are other recommended anti-DOS settings. Search for no ip directed
>>broadcast
>>and smurf and some pop up on google.com.
>
> The Cisco IOS fixes for Smurf attacks are:
> no ip directed-broadcast
> no ip redirects
> no ip unreachables
> no ip proxy-arp (not sure about this one)
> Actually, only the "no ip directed-broadcast" has any effect on Smurf
> attacks, but the other prevent attacks using similar redirection
> mechanisms (e.g. fraggle).
* Exactly... Nice info.!
>
>>> I've had far too many arguements on whether IP's ending in .0 are
>>> valid. Methinks they're NOT valid. For example, Windoze instantly
>>> returns:
>>> C:\>ping 192.168.1.0
>>> Pinging 192.168.1.0 with 32 bytes of data:
>>> Destination specified is invalid.
>
>>* Windows does that because you are on a /24 in 192.168.1.0, however if
>>you
>>were on a /23 on 192.168.0.0 that ping would work just fine. In fact so
>>would file sharing and everything else. I just labbed this in Vmware
>>Workstation with 2 XP pro ... works like a charm. XP #1 is 192.168.0.10
>>/23
>>and XP #2 is 192.168.1.0. I put them on a seperate Virtual Network to test
>>that because I didn't want to screw my actual network.
>
> Hmmm... I've never tried .0 on a /23 network, but will do so at next
> opportunity. I don't see how a /23 network makes any difference. The
> active part of the address is all zero's in both /23 and /24.
* It makes a difference because, for example, 192.168.0.0 /23 is the
following subnet:
Subnet Mask Subnet Size Host Range Broadcast
192.168.0.0 255.255.254.0 510 192.168.0.1 to 192.168.1.254
192.168.1.255
The all zeroes or network is on 192.168.0.0, the all ones or broadcast is on
192.168.1.255
Inbetween lies 192.168.1.0, which in this context (a /23) isn't being looked
at like a network
address for the old class C (or now /24), but as a single IP Address. And
it's quite valid to
do this with even an RFC 1918 chunk... on someones "private" network.
Although I doubt,
as you do, that most on here or anywhere would do that. It's fun though ;-)
(This address is probably not "all ones" because actually you are using 9
bits for Host portion instead of just 8. The "1." or "1.0" has a 1 in it.
* That probably doesn't line up correctly in here. But subnet calculator
with CIDR will show that.
>
>>* If you had a /20 or such larger sized network you could very easily have
>>subnets bigger than the /24 "Class C" that most users think of. The only
>>reason not to use a .0 or a .255 these days is if it IS *THE* network or
>>subnet address TO YOU or TO YOUR ISP. If it doesn't need to be used as
>>either one of those, then it is FAIR GAME. This all depends on how your
>>network was assigned from your network provider, and how you have
>>subnetted
>>it within your location. I worked for a cable ISP for a time and managed
>>such IP Space. I managed the equipment networks and the DHCP Servers for 2
>>cities. If my memory serves me right we assigned the whole space, for
>>example, in /21's, /22's, and /23's ... depending on how we arranged them.
>>Variable Length Subnet Mask and all that. I think end customers got .0
>>addresses assigned. Which was fine because to us it was not the network
>>address for a range, and the whole thing was ours from whoever we got it
>>from be it AT&T or ARIN. (I have read of some web sites not liking .0
>>addresses... I don't know how common or rare that is?)
>
> Interesting. I didn't know that.
>
> I know of 4 local ISP's that don't use .0 IP's as this is the network
> IP address. .255 is the broadcast IP address. Locally, Comcast/at&t
> uses /23 networks. I've never seen a .0 address on their networks,
> but I wasn't looking for it. I'll check on what they're doing later.
>># ping 192.168.0.0
>>Do you want to ping broadcast? Then -b
>
> No -b option on vintage SCO Unix 3.2v4.2 or under Cygwin.
> It's there under Linux.
* Probably don't have that in SunOS/Solaris either. I'll have to fire up my
Solaris 9 Intel lab and try it.
>
>>> Such weird results would imply that ending in .0 is NOT a valid IP
>>
>>* Nope... Just not valid on a /24.
>
> Well, the majority of the cheap home routers preferred by
> alt.internet.wireless users are limited to /24 networks mostly thanks
> to limited ARP table memory space. The routers just can't handle
> larger networks. I think it fair to say that .0 is not a valid IP for
> such small routers. (Yeah, I know that assumptions are the mother of
> all screwups).
* Yep... but you might be right about the memory issue. And you're
definately right about most home router users... And you definately know
you're RF stuff, which I've been enjoying on here by the way.
>"Jeff Liebermann" <jeffl@cruzio.com> wrote in message
>news:pooo93tj6l60t37341d0ma4rnu7rucjlsi@4ax.com.. .
>> "Alan Spicer" <aspicer@marinetelecom.net> hath wroth:
>>
>>>* Isn't Smurf a Directed Broadcast attack?
>>
>> Sorta. The source IP is forged so that the ICMP ping return goes to
>> the forged IP address instead of the originator.
>> <http://en.wikipedia.org/wiki/Smurf_attack>
>> <ftp://ftp.isi.edu/in-notes/rfc2267.txt>
>> <http://www.isi.edu/div7/ln/SMURF.policy.html>
>
>* I think you're right.
I'm always right. Well... maybe usually right.
Looks like Smurf is alive and well:
<http://www.powertech.no/smurf/>
Old exploits never die and just fade away.
Try the Smurf test probe.
My DD-WRT SP3 v3 6/20/2007 box yielded:
Your probe of 63.249.85.127/24 yielded the following results:
Network: 63.249.85.0, Netmask: 255.255.255.0, Broadcast:
63.249.85.255, Responded: Yes (broadcast=1, network=1), Duplicates: 0
CONCLUSION: The network responded, but returned no dups. OK network.
>And by being directed broadcast I think it gets to
>ping your inside network broadcast addresses so that every host so
>configured to respond would respond... and that flood is sent back to an
>attack victim which is not the sender.
It could flood the LAN if the ACL (access control list) did not block
RFC1918 non-routeable IP's. If the packets source IP were to appear
to be coming from the inside LAN, it would create a very effective DoS
attack but for only trashing the inside LAN. There would be no return
IP pointing to any outside IP's. Something like this, where the
router bocks inbound traffic on IP's known to be on the inside LAN and
are therefore subject to source IP spoofing:
# access-list 101 deny ip host 0.0.0.0 any log
# access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
# access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
# access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
# access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
# access-list 101 deny ip host 255.255.255.255 any log
# access-list 101 deny ip 169.254.0.0 0.0.255.255 any log
# access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
followed by a list of allows. I lifted this from the Cisco router FAQ
on DSLReports.
>Many of these are done together to
>really DoS the victim. I believe that most Internet routers block this at
>the ISP/backbone level before it even gets to you. I wouldn't think that a
>small home router would need to block that.
Agreed. However, I'm not a router expert and am not sure it works
this way. Incidentally, PC Flank router exploits test:
<http://www.pcflank.com/exploits.htm>
I can hang a few routers and firmware versions with some of these
tests. Sorry, but no Smurf test:
<http://www.pcflank.com/expl_d.htm>
Incidentally, a router that responds to broadcast address from outside
ICMP redirects is called a "smurf amplifier". One packet in can
yields 255 packets out per broadcast address.
>The all zeroes or network is on 192.168.0.0, the all ones or broadcast is on
>192.168.1.255
OK, so far so good.
>Inbetween lies 192.168.1.0, which in this context (a /23) isn't being looked
>at like a network
>address for the old class C (or now /24), but as a single IP Address. And
>it's quite valid to
>do this with even an RFC 1918 chunk... on someones "private" network.
>Although I doubt,
>as you do, that most on here or anywhere would do that. It's fun though ;-)
Looked at by what like a network address? When I apply a bit wise
netmask to a address, everything that's a 1 in 255.255.254.0 gets
converted to zeros. In this case, I have 23 binary zeros, followed by
9 valid bits. In the more common case of 255.255.255.0, I get 24
binary zeros, followed by 8 valid bits. However, in BOTH cases, all
the bits are zero so there's no way for the PAD (packet
assembler/dissembler) to distinguish between these two cases. I'm
lost, but suspect I'm missing something obvious (or dumb) as I know
that some systems are using .0 as a valid IP. I'll do some reading
and playing with a netmask calculator, later.
>> No -b option on vintage SCO Unix 3.2v4.2 or under Cygwin.
>> It's there under Linux.
>
>* Probably don't have that in SunOS/Solaris either. I'll have to fire up my
>Solaris 9 Intel lab and try it.
Also -b is not available in FreeBSD.
I usually use fping for MSDOS in order to get better timing
resolution.
<http://www.kwakkelflap.com/fping.html>
It uses -b for:
-b : beep on every successful reply (- to beep on timeout)
No options for broadcasts. Oh well.
At least it doesn't screw up like Windoze ping and Unix:
C:\>fping 192.168.111.0
Fast pinger version 2.16
(c) Wouter Dhondt (http://www.kwakkelflap.com)
Pinging 192.168.111.0 with 32 bytes of data every 1000 ms:
192.168.111.0: request timed out
192.168.111.0: request timed out
(etc...)
More than you ever needed (or wanted) to know about ping:
<http://www.ping127001.com/pingpage.htm>
>* Yep... but you might be right about the memory issue. And you're
>definately right about most home router users...
Many cheap wireless routers don't even have enough table space and
scratch RAM to handle a minimal number of connections. For example,
note the rather limited number of connections allowed by some bottom
of the chart routers:
<http://www.smallnetbuilder.com/component/option,com_chart/Itemid,189/chart,124/>
I confirmed some of the numbers with a home made simulator that will
rapidly rotate through a list of MAC addresses, thus simulating
multiple simultaneous connections.
>And you definately know
>you're RF stuff, which I've been enjoying on here by the way.
Also, your answers to wireless questions are also quite good. I've
been waiting for you to make a mistake, so I can pounce, but haven't
found any yet.
Re: Did I obfuscate my usenet newsreader & who I am in this posting?
----- Original Message -----
From: "Jeff Liebermann" <jeffl@cruzio.com>
Newsgroups:
misc.news.internet.discuss,alt.internet.wireless,a lt.hackers.malicious
Sent: Tuesday, July 17, 2007 5:45 PM
Subject: Re: Did I obfuscate my usenet newsreader & who I am in this
posting?
>>* I think you're right.
>
> I'm always right. Well... maybe usually right.
* :-)
>
> Looks like Smurf is alive and well:
> <http://www.powertech.no/smurf/>
> Old exploits never die and just fade away.
>
> Try the Smurf test probe.
> My DD-WRT SP3 v3 6/20/2007 box yielded:
> Your probe of 63.249.85.127/24 yielded the following results:
> Network: 63.249.85.0, Netmask: 255.255.255.0, Broadcast:
> 63.249.85.255, Responded: Yes (broadcast=1, network=1), Duplicates: 0
> CONCLUSION: The network responded, but returned no dups. OK network.
* But do you really have a /24 network on 63.249.85.0 ? whois says it is a
/18 on Cruzio. I wouldn't think that most users on here would have a /24 or
any network besides probably a /32 (single host) on the Public IP Address
they are on. Most backbones don't typically route anything as small as a
/24. The local ISP or Network provider could route a /24 as a subnet off of
a large IP space.
* I did try mine, as both a /32 and a /24 ... I think I even tried /16
although I kept hoping I wouldn't piss Bellsouth/AT&Ipod with that.
>
>>And by being directed broadcast I think it gets to
>>ping your inside network broadcast addresses so that every host so
>>configured to respond would respond... and that flood is sent back to an
>>attack victim which is not the sender.
>
> It could flood the LAN if the ACL (access control list) did not block
> RFC1918 non-routeable IP's. If the packets source IP were to appear
> to be coming from the inside LAN, it would create a very effective DoS
> attack but for only trashing the inside LAN. There would be no return
> IP pointing to any outside IP's. Something like this, where the
> router bocks inbound traffic on IP's known to be on the inside LAN and
> are therefore subject to source IP spoofing:
> # access-list 101 deny ip host 0.0.0.0 any log
> # access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
> # access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
> # access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
> # access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
> # access-list 101 deny ip host 255.255.255.255 any log
> # access-list 101 deny ip 169.254.0.0 0.0.255.255 any log
> # access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
> followed by a list of allows. I lifted this from the Cisco router FAQ
> on DSLReports.
* I think all of that would not even get to a typical users Internet Router.
Backbones typically would have dropped all of that already.
>
>>Many of these are done together to
>>really DoS the victim. I believe that most Internet routers block this at
>>the ISP/backbone level before it even gets to you. I wouldn't think that a
>>small home router would need to block that.
>
> Agreed. However, I'm not a router expert and am not sure it works
> this way. Incidentally, PC Flank router exploits test:
> <http://www.pcflank.com/exploits.htm>
> I can hang a few routers and firmware versions with some of these
> tests. Sorry, but no Smurf test:
> <http://www.pcflank.com/expl_d.htm>
> Incidentally, a router that responds to broadcast address from outside
> ICMP redirects is called a "smurf amplifier". One packet in can
> yields 255 packets out per broadcast address.
>
>>The all zeroes or network is on 192.168.0.0, the all ones or broadcast is
>>on
>>192.168.1.255
>
> OK, so far so good.
>
>>Inbetween lies 192.168.1.0, which in this context (a /23) isn't being
>>looked
>>at like a network
>>address for the old class C (or now /24), but as a single IP Address. And
>>it's quite valid to
>>do this with even an RFC 1918 chunk... on someones "private" network.
>>Although I doubt,
>>as you do, that most on here or anywhere would do that. It's fun though
>>;-)
>
> Looked at by what like a network address? When I apply a bit wise
> netmask to a address, everything that's a 1 in 255.255.254.0 gets
> converted to zeros. In this case, I have 23 binary zeros, followed by
> 9 valid bits. In the more common case of 255.255.255.0, I get 24
> binary zeros, followed by 8 valid bits. However, in BOTH cases, all
> the bits are zero so there's no way for the PAD (packet
> assembler/dissembler) to distinguish between these two cases. I'm
> lost, but suspect I'm missing something obvious (or dumb) as I know
> that some systems are using .0 as a valid IP. I'll do some reading
> and playing with a netmask calculator, later.
Anything with a TCP/IP stack in it which is configured with that network
mask. Of course you could muck that up by configuring one computer as a /23
and another one as a /24. I remember when I was consulting in a cable
company we had a 192.168.x.x/24 office network and one of our Internet Call
Center agents configured his workstation as a /25. That was fun... I forget
what exactly the symptom was but he couldn't get to something important.
* You're not going to make me do binary "AND" by hand are you now? I don't
do this kind of labor :-) I'm just kidding. (next thing you know you're
going to expect me to know how to wire and crimp RJ45 connectors ;-)
white-orange, orange, white-green, blue, white-blue, green, white-brown,
brown. Reverse the oranges and greens to get a cross-over on one end of the
cable.
* Router would consider 192.168.0.0 to be the network. With 9 bits being for
hosts. That's 512 hosts. Minus 2 for the network and broadcast equals 510
hosts. If you really wanted to subnet that as 2 Class C's or /24's then that
would likely destroy us being able to ping 192.168.1.0 as a host IP Address.
* Lamlie CCNA book was good at describing how to figure subnets, network
address, broadcast address, number of ip's, and next subnet address after
the one you're currently working with. The Cisco books are good as well. As
you get into CCNP or CCDP level it starts to get deeper into Subnetting and
Supernetting, aggregating addresses so as to keep the routes broad enough so
the BIG routers don't have to have too many routes. And Routing Protocols.
Yum! Yum!
I wouldn't have a battle on here or anywhere with a CCIE. I'd most
definately lose.
>>And you definately know
>>you're RF stuff, which I've been enjoying on here by the way.
>
> Also, your answers to wireless questions are also quite good. I've
> been waiting for you to make a mistake, so I can pounce, but haven't
> found any yet.
>
* Feel free to pounce. I'll try not to take it personally. I promise not to
say anything about your use of "computah"... oooops!
>> Looks like Smurf is alive and well:
>> <http://www.powertech.no/smurf/>
>> Old exploits never die and just fade away.
>>
>> Try the Smurf test probe.
>> My DD-WRT SP3 v3 6/20/2007 box yielded:
>> Your probe of 63.249.85.127/24 yielded the following results:
>> Network: 63.249.85.0, Netmask: 255.255.255.0, Broadcast:
>> 63.249.85.255, Responded: Yes (broadcast=1, network=1), Duplicates: 0
>> CONCLUSION: The network responded, but returned no dups. OK network.
>
>* But do you really have a /24 network on 63.249.85.0 ?
No. I forgot to include the /32 and the tester defaulted to /24. With
the proper /32 mask, I get:
Your probe of 63.249.85.127/32 yielded the following results:
Network: 63.249.85.127, Netmask: 255.255.255.255, Broadcast:
63.249.85.127, Responded: Yes (broadcast=1, network=1), Duplicates: 0
CONCLUSION: The network responded, but returned no dups. OK network.
Sorry for the muddle.
>* I did try mine, as both a /32 and a /24 ... I think I even tried /16
>although I kept hoping I wouldn't piss Bellsouth/AT&Ipod with that.
Port scans and NMAP probes are so common these daze that unless it's
being done continuously, nobody notices. I think I see about 3 of
these per week, some lasting for hours.
>* You're not going to make me do binary "AND" by hand are you now? I don't
>do this kind of labor :-) I'm just kidding.
It's as easy as learning to count binary on one finger.
>(next thing you know you're
>going to expect me to know how to wire and crimp RJ45 connectors ;-)
>white-orange, orange, white-green, blue, white-blue, green, white-brown,
>brown. Reverse the oranges and greens to get a cross-over on one end of the
>cable.
I cross over all 4 pairs so that my crossover cable works with Gigabit
ethernet. The only reason to leave two pairs straight through is if
you're sharing the CAT5 with POTS lines. See 2nd chart at:
<http://en.wikipedia.org/wiki/Ethernet_crossover_cable>
Free IP and netmask calculator.
<http://www.wildpackets.com/products/free_utilities/overview>
Did I obfuscate my usenet newsreader & who I am in this posting? 