Re: Ip spoof from 0.0.0.0

From: Pavel Kankovsky (peakat_private)
Date: Tue Nov 05 2002 - 16:34:51 PST

Next message: Ralf G. R. Bergs: "Re: anoat_private ftpd dip.t-dialin.net"

Previous message: Crist J. Clark: "Re: Ip spoof from 0.0.0.0"
In reply to: Ingersoll, Jared: "Ip spoof from 0.0.0.0"
Next in thread: Omar Herrera: "RE: Ip spoof from 0.0.0.0"
Next in thread: Omar Herrera: "RE: Ip spoof from 0.0.0.0"
Reply: Omar Herrera: "RE: Ip spoof from 0.0.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 4 Nov 2002, Ingersoll, Jared wrote:

> Nov  1 01:42:44 2U:10.1.1.1 Nov 01 2002 01:50:32: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.5

We're seeing them too, since Nov 1 03:30 GMT, approx. 150 per a day.
TCP SYNs to port 445 on different IPs. An interesting detail is that all
of them have IP ID == 256. TTL appears to vary between 108 and 113.

--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ralf G. R. Bergs: "Re: anoat_private ftpd dip.t-dialin.net"
Previous message: Crist J. Clark: "Re: Ip spoof from 0.0.0.0"
In reply to: Ingersoll, Jared: "Ip spoof from 0.0.0.0"
Next in thread: Omar Herrera: "RE: Ip spoof from 0.0.0.0"
Next in thread: Omar Herrera: "RE: Ip spoof from 0.0.0.0"
Reply: Omar Herrera: "RE: Ip spoof from 0.0.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 18:03:28 PST