On Sun, Jan 06, 2002 at 12:41:11PM +0100, Richard Arends wrote: > Hello, > > Last couple of weeks i'm getting more and more spoofed scans on my > firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send > a few icmp packets and then a scan for port 53 trying to do a reverse > lookup for my ip. How do you know these are spoofed? A lot of (rather silly) load balancing software fits this signature. Do the TTLs on the packets look "correct?" That is, if you traceroute back to the sources, do you see the same (or very close) number of hops? If all the packets have the same TTL, yes, they are probably spoofed from one machine. If most of the TTLs don't agree with the actual number of hops, it is probably spoofed from one machine, but the spoofing software randomizes the initial TTL. If most or all of the TTLs look good, they probably are not spoofed. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclarkat_private | cjclarkat_private http://people.freebsd.org/~cjc/ | cjcat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:47:06 PST