Security Incidents mailing list archives
Re: Spoofed scans
From: Richard Arends <richard () unixguru nl>
Date: Mon, 7 Jan 2002 14:11:59 +0100 (CET)
On Sun, 6 Jan 2002, Crist J. Clark wrote:
How do you know these are spoofed? A lot of (rather silly) load balancing software fits this signature.
I suspect it, because it doesn't look something a device or piece off software would do and nothing listens on port 53.
Do the TTLs on the packets look "correct?" That is, if you traceroute back to the sources, do you see the same (or very close) number of hops? If all the packets have the same TTL, yes, they are probably spoofed from one machine.
There's a little difference in de TTLs.
If most of the TTLs don't agree with the actual number of hops, it is probably spoofed from one machine, but the spoofing software randomizes the initial TTL.
I didn't traceroute all the ip's, but the ip's i traced where allmost matching the TTL.
If most or all of the TTLs look good, they probably are not spoofed.
Hmm. It happens often last couple of weeks from different ip's. Greetings, Richard. ---- An OS is like swiss cheese, the bigger it is, the more holes you get! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Spoofed scans Richard Arends (Jan 06)
- Re: Spoofed scans James (Jan 06)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans James (Jan 07)
- Re: Spoofed scans Will Aoki (Jan 07)
- RE: Spoofed scans Bojan Zdrnja (Jan 07)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans Gideon Lenkey (Jan 07)
- Re: Spoofed scans Crist J. Clark (Jan 07)
- Re: Spoofed scans Richard Arends (Jan 07)
- RE: Spoofed scans Paul M. Tiedemann (Jan 08)
- Re: Spoofed scans Dave Ryan (Jan 08)
- RE: Spoofed scans Gideon Lenkey (Jan 08)
- <Possible follow-ups>
- RE: Spoofed scans Joshua Wright (Jan 09)
- RE: Spoofed scans Jose Nazario (Jan 09)
- Re: Spoofed scans James (Jan 06)