RE: Spoofed scans

From: Paul M. Tiedemann (vandpat_private)
Date: Mon Jan 07 2002 - 16:53:08 PST

  • Next message: Cloppert, Michael: "RE: Strange connection attempts"

    A couple of words on spoofing should be mentioned.  Spoofing is almost
    always associated with dos attacks because the very act of spoofing means
    that they will not be receiving any packets back to their real ip address.
    I know there are ways to use spoofing to obscure the scanning machine but
    usually one of the ip addresses is the offender.  If you think the process
    through with port scanning it just doesn't make sense that the originating
    machine would not wish to receive any information about what ports are open
    on your machine.  That being said I think that if you are actually being
    port scanned you will find that one of the ip addresses you will see is the
    originating machine.
    
    -----Original Message-----
    From: Richard Arends [mailto:richardat_private]
    Sent: Sunday, January 06, 2002 6:41 AM
    To: incidentsat_private
    Subject: Spoofed scans
    
    
    Hello,
    
    Last couple of weeks i'm getting more and more spoofed scans on my
    firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
    a few icmp packets and then a scan for port 53 trying to do a reverse
    lookup for my ip.
    
    Are there more seeing this type off scans and is there a way to substract
    the real scanner (ip) from the list ip's ???
    
    Greetings,
    
    Richard.
    
    ----
    An OS is like swiss cheese, the bigger it is, the more holes you get!
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 08:01:53 PST