Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spoofed scans

From: "James" <jamesh () cybermesa com>
Date: Sun, 6 Jan 2002 17:47:07 -0700
Capture the data link layer and get the hardware address. Perhaps this will
indicate the true IP.


"Ask the plants of the earth and they will teach you." Job 12:8

----- Original Message -----
From: "Richard Arends" <richard () unixguru nl>
To: <incidents () securityfocus com>
Sent: Sunday, January 06, 2002 4:41 AM
Subject: Spoofed scans



Hello,

Last couple of weeks i'm getting more and more spoofed scans on my
firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
a few icmp packets and then a scan for port 53 trying to do a reverse
lookup for my ip.

Are there more seeing this type off scans and is there a way to substract
the real scanner (ip) from the list ip's ???

Greetings,

Richard.

----
An OS is like swiss cheese, the bigger it is, the more holes you get!


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: