Re: Spoofed scans

From: Dave Ryan (dave.ryanat_private)
Date: Tue Jan 08 2002 - 08:08:30 PST

  • Next message: Gideon Lenkey: "RE: Spoofed scans"

    Paul M. Tiedemann said the following on Mon, Jan 07, 2002 at 07:53:08PM -0500, 
    [snip]
    > If you think the process
    > through with port scanning it just doesn't make sense that the originating
    > machine would not wish to receive any information about what ports are open
    > on your machine.  That being said I think that if you are actually being
    > port scanned you will find that one of the ip addresses you will see is the
    > originating machine.
    
    Not always true. If an upstream host was compromised, you could use agent
    systems to scan and have the compromised host sniff the return packets, by
    using perishable zombies you can avoid detection of the host which is
    collecting the data.
    
    -- 
    Dave Ryan	 	        Security Advisor	
    dave.ryanat_private	Computer Incident Response Team	
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 09:34:15 PST