Re: Toad Hop

[Ng Pheng Siong <ngps@cbn.com.sg>]

On Sun, 7 Jan 1996, John Young wrote:
> Quoting some body:
>    On Christmas Day 1994 the attack begins.
> 
>    First, the intruder breaks into a California Internet site
>    that bears the cryptic name toad.com. Working from this
>    machine, the intruder issues seven commands to see who's
>    logged on to Shimomura's workstation, and if he's sharing
>    files with other machines.

From Shimomura's mail last January:

: The IP spoofing attack started at about 14:09:32 PST on 12/25/94.  The first
: probes were from toad.com (this info derived from packet logs):
: 
: 14:09:32 toad.com# finger -l @target
: 14:10:21 toad.com# finger -l @server
: 14:10:50 toad.com# finger -l root@server
: 14:11:07 toad.com# finger -l @x-terminal
: 14:11:38 toad.com# showmount -e x-terminal
: 14:11:49 toad.com# rpcinfo -p x-terminal
: 14:12:05 toad.com# finger -l root@x-terminal

>    Then the automatic spoofing attack begins. It will all be
>    over in sixteen seconds. The prediction packet attack
>    program fires off a flurry of packets to busy out the
>    trusted Internet server so it can't respond. Next, the
>    program sends twenty more packets to Shimomura's UNIX
>    workstation.

Again, quoting Shimomura's mail:

: About six minutes later, we see a flurry of TCP SYNs (initial connection
: requests) from 130.92.6.97 to port 513 (login) on server...
: 130.92.6.97 appears to be a random (forged) unused address (one that will 
: not generate any response to packets sent to it)...

Given that this was a _spoofing_ attack, mayhaps the packets from toad.com 
were also forgeries. Anyone in the know?


- PS
--
Ng Pheng Siong <ngps@pacific.net.sg>
NetCentre Pte Ltd * Singapore

Finger for PGP key.