Security Incidents mailing list archives
scans with spoofed address (was @home: Is *anyone*...)
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Wed, 8 Mar 2000 10:29:37 +1300
On Fri, 3 Mar 2000 15:54:04 -0600 William Annis <annis () BIOSTAT WISC EDU> wrote:
Anecdote: I contacted the owner of one ISP after getting a full RPC dump() sweep. He insisted up one side and down the other that the source IP - his - was spoofed. Can anyone explain to me the purpose of doing a dump() scan if you never see the data? I can't think of anything, but information about low-level networking sometimes takes me a while to absorb.
I have seen two cases of this with different explainations. One was a scan from one of the big .edu sites (I forget which now, not that it is important). I reported the scan and got a response back a few days later to say that they had had a lot of trouble tracking down the culprit. Someone had cracked a machine and started scanning using spoofed source addresses in the same subnet so traffic got routed back to that wire where they used tcpdump to grab the responses. The techs had to put a sniffer on the network to get the MAC addresses of the sending machine and track it down that way. If you were to compromise a machine that could see an ISP's traffic then you could scan using spoofed address of a customer and grab the responses as they went by. The other case was one where we got repeated scans from a particular address, as did many other sites. The owner swore that the traffic was not coming from his boxes yet the scans continued. In this case I think it was a DoS against the owner of the addresses. Why would any cracker repeat the same scan from the same address several times a day for several days? I have never seen anything like it before or since. If DoS it was then it was very effective since at one stage his ISP cut him off. As with nearly all such cases we only get fragments of the picture and it is very difficult to judge peoples honesty over a few lines of exchanged email. There have been other cases where people have claimed addresses must have been forged where I have been rather skeptical and in those cases I have alerted the upstream ISP that there might be a problem. Cheers, Russell.
Current thread:
- Re: auto-reporting to ISPs, (continued)
- Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
- Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)
- Re: @home: Is *anyone* really home there??? Wozz (Feb 29)
- Re: @home: Is *anyone* really home there??? Erick Brockway (Feb 29)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Rob Quinn (Mar 01)
- Re: @home: Is *anyone* really home there??? Jon Burdge (Mar 02)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
- Re: @home: Is *anyone* really home there??? William Annis (Mar 03)
- scans with spoofed address (was @home: Is *anyone*...) Russell Fulton (Mar 07)
- Re: @home: Is *anyone* really home there??? Ville (Mar 03)
- ingreslock message Dino Amato (Mar 05)
- Re: ingreslock message Graeme Fowler (Mar 07)
- Re: ingreslock message Dino Amato (Mar 07)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
- Re: ingreslock message Robert Graham (Mar 07)
- firewall abusing Przemyslaw Frasunek (Mar 07)
- Re: ingreslock message H D Moore (Mar 07)
- Re: ingreslock message Eric Maiwald (Mar 07)
- Re: auto-reporting to ISPs John Nemeth (Mar 07)
- UDP flood 28001-28003 George (Mar 07)