Capture the data link layer and get the hardware address. Perhaps this will indicate the true IP. "Ask the plants of the earth and they will teach you." Job 12:8 ----- Original Message ----- From: "Richard Arends" <richardat_private> To: <incidentsat_private> Sent: Sunday, January 06, 2002 4:41 AM Subject: Spoofed scans > Hello, > > Last couple of weeks i'm getting more and more spoofed scans on my > firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send > a few icmp packets and then a scan for port 53 trying to do a reverse > lookup for my ip. > > Are there more seeing this type off scans and is there a way to substract > the real scanner (ip) from the list ip's ??? > > Greetings, > > Richard. > > ---- > An OS is like swiss cheese, the bigger it is, the more holes you get! > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jan 06 2002 - 16:50:35 PST