Security Incidents mailing list archives

Re: Spoofed scans

From: "James" <jamesh () cybermesa com>
Date: Sun, 6 Jan 2002 18:30:15 -0700

Yea, and MAC addresses could be changed, too. Would not RARP resolve MAC to
IP ?

Unique or not, they were in the case I just worked on, though it was a local
spoofing event.
MAC address matched one in the router ARP cache, which gave IP. Access
records confirmed
this person was on every time the spoofing took place. Not to mention when
he/she called and asked
why their account did not work, I just said "Your spoofing" and I have not
heard a word sense.

In this case the MAC address was not the only piece of evidence, but it did
select 1 user from 10,000.

I'll be interested to see what others say, I am seeing spoofing again, but
it is not local.




----- Original Message -----
From: "Philip Wagenaar" <PB.Wagenaar () Chello NL>
To: "'James'" <jamesh () cybermesa com>; <incidents () securityfocus com>
Sent: Sunday, January 06, 2002 6:04 PM
Subject: RE: Spoofed scans

Do you mean get the MAC address? If so MAC addresses aren't unique
anymore, and how could you lookup what MAC address belongs to what IP?

Philip Wagenaar

-----Original Message-----
From: James [mailto:jamesh () cybermesa com]
Sent: maandag 7 januari 2002 1:47
To: incidents () securityfocus com
Subject: Re: Spoofed scans


Capture the data link layer and get the hardware address.
Perhaps this will indicate the true IP.


"Ask the plants of the earth and they will teach you." Job 12:8

----- Original Message -----
From: "Richard Arends" <richard () unixguru nl>
To: <incidents () securityfocus com>
Sent: Sunday, January 06, 2002 4:41 AM
Subject: Spoofed scans

Hello,

Last couple of weeks i'm getting more and more spoofed scans on my
firewall. All scans are icmp or port 53 (domain). Mostly

'they' first

send a few icmp packets and then a scan for port 53 trying to do a
reverse lookup for my ip.

Are there more seeing this type off scans and is there a way to
substract the real scanner (ip) from the list ip's ???

Greetings,

Richard.

----
An OS is like swiss cheese, the bigger it is, the more

holes you get!

----------------------------------------------------------------------

----

--

This list is provided by the SecurityFocus ARIS analyzer

service. For

more information on this free incident handling, management and
tracking system please see: http://aris.securityfocus.com



--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer
service. For more information on this free incident handling,
management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Spoofed scans Richard Arends (Jan 06)
- Re: Spoofed scans James (Jan 06)
  - RE: Spoofed scans Philip Wagenaar (Jan 07)
    - Re: Spoofed scans James (Jan 07)
    - Re: Spoofed scans Will Aoki (Jan 07)
  - RE: Spoofed scans Bojan Zdrnja (Jan 07)
- Re: Spoofed scans Gideon Lenkey (Jan 07)
- Re: Spoofed scans Crist J. Clark (Jan 07)
  - Re: Spoofed scans Richard Arends (Jan 07)
- RE: Spoofed scans Paul M. Tiedemann (Jan 08)
  - Re: Spoofed scans Dave Ryan (Jan 08)
  - RE: Spoofed scans Gideon Lenkey (Jan 08)
- <Possible follow-ups>
- RE: Spoofed scans Joshua Wright (Jan 09)
  - RE: Spoofed scans Jose Nazario (Jan 09)