Re: IPS Testing

From: Daniel Clemens (daniel.clemens@packetninjas.net)
Date: Mon Jan 14 2008 - 17:23:30 EST


>> On Thu, 2008-01-03 at 14:26 +0530, pentestr wrote:
>>
>>> Hi,
>>>
>>> I am doing a PT for a customer and found that after running nessus
>>> against the target our IP is getting blocked permanently. I want
>>> to show this issue to the customer.
>>> 1. Is there any specific tool that can generate nessus traffic by
>>> spoofing IPs?
>>> 2. Is there any tool that can change IP on the fly? While running
>>> nessus that should change source IP?

You can spoof your ip with Nmap, or even unicornscan.
The problem is you will basically be spoofing the initial SYN
request , assuming your upstream provider doesn't do ingress/egress
filtering.

>
> I want to confirm this issue of the IPS. If the IPS is blocking
> traffic then by spoofing other IP I can block service to them and It
> will become a CRITICAL issue because an attacker can spoof IP ranges
> and it could lead to DOS.
>

If your trying to prove this point you may want to spoof traffic
coming from all the DNS root servers or traffic coming from 127.0.0.1
and the upstream routers of your client's subnet.

-Daniel Clemens

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT