ISC StormCast for Friday, April 14th 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 14 April 2017
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, April 14th, 2017 edition of the Sansanet Storm Center's Stormcast. My name is Johannes Ulrich, |
| 0:09.5 | and the day I'm recording from Orlando, Florida. Pretty interesting diary today by Rob about how to use net shell to capture packets for a specific process. If you're using TCP dump or |
| 0:23.7 | Wireshark to collect packets, then of course you're losing the information as to which process |
| 0:30.7 | did create packets or receive them. Well, turns out if you are collecting network packets directly in net shell, then this information is retained and you can later filter by it. |
| 0:44.3 | In order to do so, you need to load the net shell capture in Microsoft Message Analyzer, which allows you to then select messages, which includes packets by process, and from |
| 0:58.0 | there you can export these packets into a PCAP file for further analysis. |
| 1:05.8 | And Akamai is reporting that they're seeing large denial of service attacks that use connectionless LDAB as an |
| 1:13.9 | amplification vector. For connectionless LDAP, you have LDAB servers that are exposed as part of |
| 1:22.0 | voice over IP gateways. Turns out that a lot of systems that are running SIP also use LDAAP for all vacation and do not properly protect the LDAB server. |
| 1:34.3 | For connectionless LDAAP, the queries being used here are about 50 bytes in length, while the reply is close to 3 kilobytesytes length, so you certainly have a pretty neat |
| 1:47.0 | amplification. And of course, there are thousands, if not tens of thousands, vulnerable systems |
| 1:53.6 | out there that can be used as amplifier. And Juniper released a number of bulletins fixing |
| 2:00.5 | various vulnerabilities in June OS. |
| 2:02.8 | Some of these vulnerabilities affect open source software that is included in Juniper's operating system. |
| 2:10.6 | One of the more interesting vulnerabilities being addressed in this update is atomic fragments. |
| 2:18.2 | This is really an issue with the IPV6 specification. |
| 2:22.8 | The specification has been amended recently, allowing you to turn off this feature. |
| 2:29.1 | The problem arises if a host receives a message that a packet is too large and needs to be fragmented, |
| 2:36.2 | but the MTAU advertised is less than 120 bytes. |
| 2:41.7 | MTOs of less than 1280 bytes are not valid in IPV6, |
| 2:48.4 | so operating systems are supposed to send atomic fragments, which are really complete |
| 2:54.1 | packets that include a fragment header. Since this required behavior has led to potential denial |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.