An interesting vulnerability... Sorry this is a tad off-topic.

John Young jya at pipeline.com
Mon, 25 Mar 2002 12:22:31 -0800 

Ah, yes, this is called the inside the intranet ethernet attack. Your 
own network is hammering your firewall from inside the protective
moat. Probably from net address 0,0,0,0.

Our cable modem does that too, gangs up with ethernet on 
Zone Alarm, hits the protecting wall from front and back.

For those of you not blessed with a cable modem which needs
to serve an intranet, is to cable it into your network router which
in turn makes the cable accessible from machines on the net.

Some cable modems come with a built-in firewall, as does ours.

Zone Alarm sitting on an individual box, say, gets hits from the
net router which is keeping the cable link available to all networked
machines. When any of the networked machines refreshes its 
link to the net router Zone Alarm reads that as a probe from the 
outside due to the shared cable hookup.

I'm told that this is a vulnerability within the network, but if you
have a firewall on the cable modem it should not be an outside
vulnerability.

Cable modems, though, have umpteen other vulnerabilities, which,
once you get addicted to the speed of accessing gigantic, worthless
files, you couldn't care less about.

What you do is rig an automatic spider to go out onto the Web to
get everything, completely load your incoming sewer and thereby 
prevent any intrusion. But don't stop gulping or one of the 
monstrous bots will suck your overflowing cesspool dry.





At 10:59 AM 3/25/2002 +0000, you wrote:
>Noticing some traffic on the cable modem at a time when none was
>expected,  I hit the cable modem's standby button,  and loaded Zone
>Alarm outside my firewall to see what was going on.
>
>When it came up,  Zone Alarm immediately reported a few incoming probes.
>
>I opened a box to ping -a and backtrack the source,  and the ping
>failed....
>
>At which point I noticed that the cable modem was still on standby.
>
>Muttering evil thoughts about Zone Labs,  and mentally accusing them of
>fake alerts for PR purposes,  I leaned over to turn the cable modem back
>on,  and happened to see reflected the light from the rear-panel
>ethernet connection from the modem to the system.   And it flashed.
>And Zone Alarm reported a probe...   While the modem was still on
>standby, with all its front panel lights, (including the power
>indicator), out.    Muttering apologies to Zone Labs, I watched,  and
>saw several other flickers on the cable modem's ethernet port,  each
>accompanied by a Zone Alarm alert.
>
>Further experimentation showed that attempts to initiate traffic out
>while the cable modem is in standby are rejected,  but that incoming
>probes (and therefore attacks) are permitted - almost exactly the
>opposite of what you might want.
>
>Any thoughts/comments?
>
>## dave ##
>