Re: Spoofed scans

From: James (jameshat_private)
Date: Sun Jan 06 2002 - 17:30:15 PST

  • Next message: Richard Arends: "Re: Spoofed scans"

    Yea, and MAC addresses could be changed, too. Would not RARP resolve MAC to
    IP ?
    
    Unique or not, they were in the case I just worked on, though it was a local
    spoofing event.
    MAC address matched one in the router ARP cache, which gave IP. Access
    records confirmed
    this person was on every time the spoofing took place. Not to mention when
    he/she called and asked
    why their account did not work, I just said "Your spoofing" and I have not
    heard a word sense.
    
    In this case the MAC address was not the only piece of evidence, but it did
    select 1 user from 10,000.
    
    I'll be interested to see what others say, I am seeing spoofing again, but
    it is not local.
    
    
    
    
    ----- Original Message -----
    From: "Philip Wagenaar" <PB.Wagenaarat_private>
    To: "'James'" <jameshat_private>; <incidentsat_private>
    Sent: Sunday, January 06, 2002 6:04 PM
    Subject: RE: Spoofed scans
    
    
    > Do you mean get the MAC address? If so MAC addresses aren't unique
    > anymore, and how could you lookup what MAC address belongs to what IP?
    >
    > Philip Wagenaar
    >
    > > -----Original Message-----
    > > From: James [mailto:jameshat_private]
    > > Sent: maandag 7 januari 2002 1:47
    > > To: incidentsat_private
    > > Subject: Re: Spoofed scans
    > >
    > >
    > > Capture the data link layer and get the hardware address.
    > > Perhaps this will indicate the true IP.
    > >
    > >
    > > "Ask the plants of the earth and they will teach you." Job 12:8
    > >
    > > ----- Original Message -----
    > > From: "Richard Arends" <richardat_private>
    > > To: <incidentsat_private>
    > > Sent: Sunday, January 06, 2002 4:41 AM
    > > Subject: Spoofed scans
    > >
    > >
    > > > Hello,
    > > >
    > > > Last couple of weeks i'm getting more and more spoofed scans on my
    > > > firewall. All scans are icmp or port 53 (domain). Mostly
    > > 'they' first
    > > > send a few icmp packets and then a scan for port 53 trying to do a
    > > > reverse lookup for my ip.
    > > >
    > > > Are there more seeing this type off scans and is there a way to
    > > > substract the real scanner (ip) from the list ip's ???
    > > >
    > > > Greetings,
    > > >
    > > > Richard.
    > > >
    > > > ----
    > > > An OS is like swiss cheese, the bigger it is, the more
    > > holes you get!
    > > >
    > > >
    > > >
    > > ----------------------------------------------------------------------
    > > > ----
    > > --
    > > > This list is provided by the SecurityFocus ARIS analyzer
    > > service. For
    > > > more information on this free incident handling, management and
    > > > tracking system please see: http://aris.securityfocus.com
    > > >
    > > >
    > >
    > >
    > > --------------------------------------------------------------
    > > --------------
    > > This list is provided by the SecurityFocus ARIS analyzer
    > > service. For more information on this free incident handling,
    > > management
    > > and tracking system please see: http://aris.securityfocus.com
    > >
    > >
    >
    >
    >
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:27:24 PST