Re: Spoofed scans

From: Crist J. Clark (cristjcat_private)
Date: Sun Jan 06 2002 - 22:22:34 PST

  • Next message: Andrea Efstathiou: "Strange connection attempts"

    On Sun, Jan 06, 2002 at 12:41:11PM +0100, Richard Arends wrote:
    > Hello,
    > 
    > Last couple of weeks i'm getting more and more spoofed scans on my
    > firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
    > a few icmp packets and then a scan for port 53 trying to do a reverse
    > lookup for my ip.
    
    How do you know these are spoofed? A lot of (rather silly) load
    balancing software fits this signature.
    
    Do the TTLs on the packets look "correct?" That is, if you traceroute
    back to the sources, do you see the same (or very close) number of
    hops? If all the packets have the same TTL, yes, they are probably
    spoofed from one machine. If most of the TTLs don't agree with the
    actual number of hops, it is probably spoofed from one machine, but
    the spoofing software randomizes the initial TTL. If most or all of
    the TTLs look good, they probably are not spoofed.
    -- 
    "It's always funny until someone gets hurt. Then it's hilarious."
    
    Crist J. Clark                     |     cjclarkat_private
                                       |     cjclarkat_private
    http://people.freebsd.org/~cjc/    |     cjcat_private
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:47:06 PST