Security Incidents mailing list archives
Re: Spoofed IP port scan?
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 16 Nov 2000 10:45:06 +1300
On Tue, 14 Nov 2000 16:42:57 -0500 Dave Chen <Dave_Chen () ACML COM> wrote:
Hi, I notice an increase in scanning for sunrpc, telnet, ftp, etc for a range of IPs (that include our hosts in that IP range). I've notify the ISP of the source address. One ISP stated that they could not find the corresponding activity in their external router, indicating the IP could be spoofed. Question: If the IP is spoofed, how can the hacker get the port scan information? They either have to be on my up stream ISP or the up stream of the source IP to the scan results, right?
Yes, in this case. In the general case they could also be in the same network (we have seen this). But since the ISP says the traffic did not go out the router then that is ruled out. Two other possibilities: The ISP was wrong (got timezones wrong, mis-pasted the IP in the search -- I've done both). The intended 'victim' is the the owner of the 'source address'. I.e. the purpose of the scan is to get the owner of the source address in trouble with their ISP, the traffic could come from anywhere. (I have also seen cases where we are fairly sure that happened -- we never did get to the bottom of that one. ). Cheers, Russell
Current thread:
- Spoofed IP port scan? Dave Chen (Nov 16)
- Re: Spoofed IP port scan? Jose Nazario (Nov 17)
- Re: Spoofed IP port scan? Russell Fulton (Nov 17)
- Re: Spoofed IP port scan? Valdis Kletnieks (Nov 17)