Only if machine is on their subnet, of course. Otherwise he'll get hardware address of his router. Can you get us more information about those packets ? I'm interested to see what kind of scanning they do. Regards, Bojan Zdrnja > -----Original Message----- > From: James [mailto:jameshat_private] > Sent: 7. siječanj 2002 1:47 > To: incidentsat_private > Subject: Re: Spoofed scans > > > Capture the data link layer and get the hardware address. > Perhaps this will > indicate the true IP. > > > "Ask the plants of the earth and they will teach you." Job 12:8 > > ----- Original Message ----- > From: "Richard Arends" <richardat_private> > To: <incidentsat_private> > Sent: Sunday, January 06, 2002 4:41 AM > Subject: Spoofed scans > > > > Hello, > > > > Last couple of weeks i'm getting more and more spoofed scans on my > > firewall. All scans are icmp or port 53 (domain). Mostly > 'they' first send > > a few icmp packets and then a scan for port 53 trying to do > a reverse > > lookup for my ip. > > > > Are there more seeing this type off scans and is there a > way to substract > > the real scanner (ip) from the list ip's ??? > > > > Greetings, > > > > Richard. > > > > ---- > > An OS is like swiss cheese, the bigger it is, the more > holes you get! > > > > > > > -------------------------------------------------------------- > ------------ > -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:22:32 PST