Snort mailing list archives

Re: Locate address spoofer?

From: creining () packetfu org
Date: Fri, 13 Sep 2002 20:14:46 -0500

If you suspect a spoofer, one quick test to confirm/deny is to use the
utility despoof by Simple Nomad (http://razor.bindview.com/tools). You
can compare the TTL logged with a packet with the TTL you receive from
despoof.  If an attacker is spoofing a packet, the TTL in that packet
will not be the correct TTL of one created _at_ that address (unless
they are really paranoid and tweak the TTL).

Believe it or not routes do change, so this tool is best utilized asap.

-Chris

On Fri, 13 Sep 2002 08:20:42 -0700
spyguy <spyguy703 () earthlink net> wrote:

If I suspect a source address has been spoofed, how would I go about
finding the REAL source of an attack? Is this possible?


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Locate address spoofer? spyguy (Sep 13)
- Re: Locate address spoofer? hackerwacker (Sep 13)
- Re: Locate address spoofer? creining (Sep 13)