Security Incidents mailing list archives

Re: Spoofed IP port scan?

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 16 Nov 2000 10:25:58 -0500

On Tue, 14 Nov 2000 16:42:57 EST, Dave Chen <Dave_Chen () ACML COM>  said:

range).  I've notify the ISP of the source address.  One ISP
stated that they could not find the corresponding activity in
their external router, indicating the IP could be spoofed.
         Question:  If the IP is spoofed, how can the hacker get
the port scan information?  They either have to be on my up
stream ISP or the up stream of the source IP to the scan results,
right?


Remember that sometimes, the hacker doesn't CARE about what comes back.

Many UDP services can be exploited blindly.

If your kernel makes predictable TCP sequence numbers (many kernels use
very simple rules like "last initial seq # + 64"), once a hacker guesses
what the rule is, they can ship you blind packets and set up a connection.

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

Spoofed IP port scan? Dave Chen (Nov 16)
- Re: Spoofed IP port scan? Jose Nazario (Nov 17)
- Re: Spoofed IP port scan? Russell Fulton (Nov 17)
- Re: Spoofed IP port scan? Valdis Kletnieks (Nov 17)