Re: Spoofed scans

From: Richard Arends (richardat_private)
Date: Mon Jan 07 2002 - 05:11:59 PST

  • Next message: Gideon Lenkey: "Re: Spoofed scans"

    On Sun, 6 Jan 2002, Crist J. Clark wrote:
    
    > How do you know these are spoofed? A lot of (rather silly) load
    > balancing software fits this signature.
    
    I suspect it, because it doesn't look something a device or piece off
    software would do and nothing listens on port 53.
    
    > Do the TTLs on the packets look "correct?" That is, if you traceroute
    > back to the sources, do you see the same (or very close) number of
    > hops? If all the packets have the same TTL, yes, they are probably
    > spoofed from one machine.
    
    There's a little difference in de TTLs.
    
    > If most of the TTLs don't agree with the actual number of hops, it is
    > probably spoofed from one machine, but the spoofing software
    > randomizes the initial TTL.
    
    I didn't traceroute all the ip's, but the ip's i traced where allmost
    matching the TTL.
    
    > If most or all of the TTLs look good, they probably are not spoofed.
    
    Hmm. It happens often last couple of weeks from different ip's.
    
    Greetings,
    
    Richard.
    
    ----
    An OS is like swiss cheese, the bigger it is, the more holes you get!
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:29:00 PST