Security Incidents mailing list archives
Re: Spoofed scans
From: "Crist J. Clark" <cristjc () earthlink net>
Date: Sun, 6 Jan 2002 22:22:34 -0800
On Sun, Jan 06, 2002 at 12:41:11PM +0100, Richard Arends wrote:
Hello, Last couple of weeks i'm getting more and more spoofed scans on my firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send a few icmp packets and then a scan for port 53 trying to do a reverse lookup for my ip.
How do you know these are spoofed? A lot of (rather silly) load balancing software fits this signature. Do the TTLs on the packets look "correct?" That is, if you traceroute back to the sources, do you see the same (or very close) number of hops? If all the packets have the same TTL, yes, they are probably spoofed from one machine. If most of the TTLs don't agree with the actual number of hops, it is probably spoofed from one machine, but the spoofing software randomizes the initial TTL. If most or all of the TTLs look good, they probably are not spoofed. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Spoofed scans Richard Arends (Jan 06)
- Re: Spoofed scans James (Jan 06)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans James (Jan 07)
- Re: Spoofed scans Will Aoki (Jan 07)
- RE: Spoofed scans Bojan Zdrnja (Jan 07)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans Gideon Lenkey (Jan 07)
- Re: Spoofed scans Crist J. Clark (Jan 07)
- Re: Spoofed scans Richard Arends (Jan 07)
- RE: Spoofed scans Paul M. Tiedemann (Jan 08)
- Re: Spoofed scans Dave Ryan (Jan 08)
- RE: Spoofed scans Gideon Lenkey (Jan 08)
- <Possible follow-ups>
- RE: Spoofed scans Joshua Wright (Jan 09)
- RE: Spoofed scans Jose Nazario (Jan 09)
- Re: Spoofed scans James (Jan 06)