network – How to Prevent Attacker from Abusing IPv4-embedded IPv6 to Bypass Security Mechanism?

Section 5.3 of RFC6052 explained how an attacker could abuse the NAT64 translation mechanism to bypass security mechanism such as firewall or IDS/IPS if those devices only have an IPv4 blacklist. The mitigation is to convert the IPv4-embedded IPv6 to IPv4 than comparing it with the IPv4 blacklist.

My question is how to implement the converting and comparing mechanism in network security devices? Does any vendor already support such mechanism?

server – Does BYOB Botnet work when target and attacker are on different networks?

I know that to start the BYOB server you need to put

python server.py --host PRIVATEIPADDRESS --port 8080

But, after –host I put the private IP address, but won’t that not work if the attacker and target are on different networks as a private IP is used?
I have tried using public IP instead, but that doesn’t work

Attacker Changing Address to Receive Block Reward

A miner creates a block B which contains address α, on which he wants to receive his rewards. An attacker changes block B, such that instead of α it defines a new address α’, which is controlled by the attacker. Will the attacker receive the rewards that the miner tries to claim and why (or why not)?

My idea was that first of all the attacker would have to redo the proof-of-work. Therefore it is unlikely that their blockchain would be the longest. However, is there any way that the attack could go through other than solving the proof-of-work faster than the rest of miners? What if the attacker changes the most recent block? Could the block then be on the longest chain?

I have also read that the Block Reward in a stale block is no longer spendable on the difficultywise-longest and well-formed blockchain; therefore whoever mined that block does not actually get the reward (or the transaction fees). So if the attacker’s changed block becomes a stale block, does this mean the reward cannot be claimed by the original miner or the attacker?

transactions – double spend the mempool to outbid an attacker

if I spend some input in a tx and a few seconds later spends the same input with other inputs in another tx with higher fees. If the first tx is still in the mempool would the 2nd tx replace the first one?

With a hot wallet I can receive a notification on my phone every time an input is spent and if I reply to the notification (somehow wallet has been compromised) then I could broadcast a signed tx with all my inputs to another address I control with higher fees. I could potentially outbid the hacker and save the wallet?

Does an attacker need to guess or brute-force a password for TCP spoofing?

From my understanding, TCP spoofing can be carried out if the attacker can correctly guess the sequence numbers from the response packets (to mimic the real client). The attacker may even obtain this sequence of numbers via sniffing. Furthermore, a trusted connection must already exist between the target client and the server in order for the attacker to intercept/spoof

However, I was a bit unclear as to whether the attacker would need to gain initial access to the system or network (by guessing or brute-forcing their password). In order to send the sequence numbers from response packets to the server, does the attacker need to have access to it? I am not sure whether this attacker can just send the SYN packets to the server without any access to the system/network. My concept of these things is a bit blurry right now and I would greatly appreciate some advice.

Thank you!

iptables – Attacker using “single use IPs” to generate large volumes of robotic traffic that is hard to block

Currently there is some wierd traffic on a HTTP server from lots of different IPs. I tried checking against known TOR exit nodes, but there were no matches.

They tend to be from countries in South America and Africa. However, none of the IPs are the same. So I’m not sure how the attacker is able to use so many different IPs, each IP only one time.

Does anyone know how an attacker might be able to get “single use IPs”? Perhaps they are from some sort of rented botnet? If so, is there an easy way I can check these IPs against a list of known threat IPs?

Any help would be greatly appreciated.

dnd 5e – When the Shield of Missile Attraction changes the target of an attack, does the attacker have to make a new attack roll?

As you suspect, the curse of the Shield of Missile Attraction only changes the target, so only one attack roll is made by the attacker.

Whenever a ranged weapon attack is made against a target within 10 feet of you, the curse causes you to become the target instead.

The attack has already been made, and the 16 is now against Thurin’s AC, which in your example would case it to miss. From the rules on combat (PHB, page 194):

If there’s ever any question whether something you’re doing counts as an attack, the rule is simple: if you’re making an attack roll, you’re making an attack.

Reverse shell from backdoor – exposing attacker? [duplicate]

If an attacker successfully installed a backdoor that connects to his computer via a reverse shell, how can the attacker hide his IP address?

I’d guess he can’t use Tor or a VPN, because packet forwarding would be quite impossible (is that correct?). Maybe he can use a different bought or hacked server as a proxy? How would he achieve that?

How can the attacker stay anonymous?

network – What happens when attacker scan a IP that is used by multiple devices?

Assuming ISP gives only 1 external IP and you have few devices that use this IP. So you will have a router and few PC’s with same external IP and different local IP. When all PC’s are online and one of them are vulnerable to EternalBlue, Bluekeep or something else. When attacker scans external IP. Will he see that IP is vulnerable even in case if only one PC is vulnerable or it will scan only router IP? Or it will scan only one device that has this IP?

ransomware – How does releasing exfiltrated data increase the chances of an attacker getting caught?

I’m reading an article from the Institute for Applied Network Security (IANS) titled “Ransomware 2.0: What It Is and What To Do About It”, and there’s a piece I don’t understand. The article requires a subscription, but here’s the excerpt (emphasis mine):

(Attackers) typically threaten to release confidential data to the internet or dark web if the
victim refuses to pay. This extortion tactic is fairly new and it is unclear whether it will become
more prevalent. If it does, it is uncertain whether attackers will release the data they’ve exfiltrated (and even how much data they’ve exfiltrated in the first place). Obviously, the more data an attacker exfiltrates, the higher they raise their profile and the more likely they are to be caught
before the encryption phase.
Therefore, unlike attackers motivated by IP theft, Ransomware 2.0
attackers have an incentive to minimize their data exfiltration.

Why would attackers not follow through with the threat of releasing this data? Does exfiltrating more data give forensic scientists, network admins, and the like better insight into the anomalous and malicious behavior–and shouldn’t attackers sufficiently cover their tracks? If not, how is the attacker profile increased with the volume of exfiltrated data published?