RE: Spoofed source IP in scans (decoys) - what to do?

["Wyatt, Anthony" <Anthony.Wyatt () its csiro au>]

First check the ttl in each packet.  Older versions of nmap used the same
ttl as the real host, in this case just traceroute to each source address
and whichever has the closest number of hops compared to your ttl is the
winner:-)  Newer versions of nmap use random ttl values, but you can still
use the same process, but the results may not be as accurate depending on
how random the values are.

> -----Original Message-----
> From: Niloc [mailto:niloc () softimage com]
> Sent: Saturday, November 27, 1999 3:01 AM
> To: firewall-wizards () nfr net
> Subject: Spoofed source IP in scans (decoys) - what to do?
>
>
> Hi,
>
> I have had quite a few scans occuring on a host lately and 
> the scanning
> method
> includes the use of "decoys" (in nmap) or spoofed source IP addresses.
>
> Of course my problem is that I don't want to blindly deny traffic from
> all the source IP addresses that appear to be scanning me 
> since I might
> block legetimate traffic from them.
>
> I am wondering what my alternatives are? What would be a good method
> to find out which IP is really scanning me?
>
> Thanks for your help.
>
> Niloc.