Neil Dickey wrote: > My questions are these: Does anyone know what sort of probe is being used? The other replies have covered the probably 'spoofed source address' solution. If you can get your hands on one of these packets and examine its contents, you can see the IP header of the packet that produced the response, as part of the ICMP packet body. If the spoofing explanation is correct and complete, that src address of that returned header should be one of your addresses. Strictly speaking, you should also be able to see all successful responses to the presumed probes. If you're behind a firewall, they may get filtered away, though, as there are no sessions that matches them, but you might be able to find corroborating evidence in the firewall logs. -- Anders Thulin anders.thulinat_private 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 20:43:27 PST