Re: Spoofed scans

From: James (jameshat_private)
Date: Sun Jan 06 2002 - 16:47:07 PST

  • Next message: Philip Wagenaar: "RE: Spoofed scans"

    Capture the data link layer and get the hardware address. Perhaps this will
    indicate the true IP.
    
    
    "Ask the plants of the earth and they will teach you." Job 12:8
    
    ----- Original Message -----
    From: "Richard Arends" <richardat_private>
    To: <incidentsat_private>
    Sent: Sunday, January 06, 2002 4:41 AM
    Subject: Spoofed scans
    
    
    > Hello,
    >
    > Last couple of weeks i'm getting more and more spoofed scans on my
    > firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
    > a few icmp packets and then a scan for port 53 trying to do a reverse
    > lookup for my ip.
    >
    > Are there more seeing this type off scans and is there a way to substract
    > the real scanner (ip) from the list ip's ???
    >
    > Greetings,
    >
    > Richard.
    >
    > ----
    > An OS is like swiss cheese, the bigger it is, the more holes you get!
    >
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jan 06 2002 - 16:50:35 PST