Re: Spoofed scans

[Richard Arends <richard () unixguru nl>]

On Sun, 6 Jan 2002, Crist J. Clark wrote:

> How do you know these are spoofed? A lot of (rather silly) load
> balancing software fits this signature.

I suspect it, because it doesn't look something a device or piece off
software would do and nothing listens on port 53.

> Do the TTLs on the packets look "correct?" That is, if you traceroute
> back to the sources, do you see the same (or very close) number of
> hops? If all the packets have the same TTL, yes, they are probably
> spoofed from one machine.

There's a little difference in de TTLs.

> If most of the TTLs don't agree with the actual number of hops, it is
> probably spoofed from one machine, but the spoofing software
> randomizes the initial TTL.

I didn't traceroute all the ip's, but the ip's i traced where allmost
matching the TTL.

> If most or all of the TTLs look good, they probably are not spoofed.

Hmm. It happens often last couple of weeks from different ip's.

Greetings,

Richard.

----
An OS is like swiss cheese, the bigger it is, the more holes you get!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com