Firewall Wizards mailing list archives
RE: Spoofed source IP in scans (decoys) - what to do?
From: "Wyatt, Anthony" <Anthony.Wyatt () its csiro au>
Date: Tue, 30 Nov 1999 17:51:20 +1100
First check the ttl in each packet. Older versions of nmap used the same ttl as the real host, in this case just traceroute to each source address and whichever has the closest number of hops compared to your ttl is the winner:-) Newer versions of nmap use random ttl values, but you can still use the same process, but the results may not be as accurate depending on how random the values are.
-----Original Message----- From: Niloc [mailto:niloc () softimage com] Sent: Saturday, November 27, 1999 3:01 AM To: firewall-wizards () nfr net Subject: Spoofed source IP in scans (decoys) - what to do? Hi, I have had quite a few scans occuring on a host lately and the scanning method includes the use of "decoys" (in nmap) or spoofed source IP addresses. Of course my problem is that I don't want to blindly deny traffic from all the source IP addresses that appear to be scanning me since I might block legetimate traffic from them. I am wondering what my alternatives are? What would be a good method to find out which IP is really scanning me? Thanks for your help. Niloc.
Current thread:
- Spoofed source IP in scans (decoys) - what to do? Niloc (Nov 29)
- Re: Spoofed source IP in scans (decoys) - what to do? R. DuFresne (Nov 30)
- <Possible follow-ups>
- RE: Spoofed source IP in scans (decoys) - what to do? Wyatt, Anthony (Nov 30)