A couple of words on spoofing should be mentioned. Spoofing is almost always associated with dos attacks because the very act of spoofing means that they will not be receiving any packets back to their real ip address. I know there are ways to use spoofing to obscure the scanning machine but usually one of the ip addresses is the offender. If you think the process through with port scanning it just doesn't make sense that the originating machine would not wish to receive any information about what ports are open on your machine. That being said I think that if you are actually being port scanned you will find that one of the ip addresses you will see is the originating machine. -----Original Message----- From: Richard Arends [mailto:richardat_private] Sent: Sunday, January 06, 2002 6:41 AM To: incidentsat_private Subject: Spoofed scans Hello, Last couple of weeks i'm getting more and more spoofed scans on my firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send a few icmp packets and then a scan for port 53 trying to do a reverse lookup for my ip. Are there more seeing this type off scans and is there a way to substract the real scanner (ip) from the list ip's ??? Greetings, Richard. ---- An OS is like swiss cheese, the bigger it is, the more holes you get! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 08:01:53 PST