On Sun, 6 Jan 2002, Crist J. Clark wrote: > How do you know these are spoofed? A lot of (rather silly) load > balancing software fits this signature. I suspect it, because it doesn't look something a device or piece off software would do and nothing listens on port 53. > Do the TTLs on the packets look "correct?" That is, if you traceroute > back to the sources, do you see the same (or very close) number of > hops? If all the packets have the same TTL, yes, they are probably > spoofed from one machine. There's a little difference in de TTLs. > If most of the TTLs don't agree with the actual number of hops, it is > probably spoofed from one machine, but the spoofing software > randomizes the initial TTL. I didn't traceroute all the ip's, but the ip's i traced where allmost matching the TTL. > If most or all of the TTLs look good, they probably are not spoofed. Hmm. It happens often last couple of weeks from different ip's. Greetings, Richard. ---- An OS is like swiss cheese, the bigger it is, the more holes you get! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:29:00 PST