Security Incidents mailing list archives
Re: Spoofed scans
From: Dave Ryan <dave.ryan () eircom net>
Date: Tue, 8 Jan 2002 16:08:30 +0000
Paul M. Tiedemann said the following on Mon, Jan 07, 2002 at 07:53:08PM -0500, [snip]
If you think the process through with port scanning it just doesn't make sense that the originating machine would not wish to receive any information about what ports are open on your machine. That being said I think that if you are actually being port scanned you will find that one of the ip addresses you will see is the originating machine.
Not always true. If an upstream host was compromised, you could use agent systems to scan and have the compromised host sniff the return packets, by using perishable zombies you can avoid detection of the host which is collecting the data. -- Dave Ryan Security Advisor dave.ryan () eircom net Computer Incident Response Team ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Spoofed scans Richard Arends (Jan 06)
- Re: Spoofed scans James (Jan 06)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans James (Jan 07)
- Re: Spoofed scans Will Aoki (Jan 07)
- RE: Spoofed scans Bojan Zdrnja (Jan 07)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans Gideon Lenkey (Jan 07)
- Re: Spoofed scans Crist J. Clark (Jan 07)
- Re: Spoofed scans Richard Arends (Jan 07)
- RE: Spoofed scans Paul M. Tiedemann (Jan 08)
- Re: Spoofed scans Dave Ryan (Jan 08)
- RE: Spoofed scans Gideon Lenkey (Jan 08)
- <Possible follow-ups>
- RE: Spoofed scans Joshua Wright (Jan 09)
- RE: Spoofed scans Jose Nazario (Jan 09)
- Re: Spoofed scans James (Jan 06)