Re: Spoofed scans

["Crist J. Clark" <cristjc () earthlink net>]

On Sun, Jan 06, 2002 at 12:41:11PM +0100, Richard Arends wrote:
> Hello,
>
> Last couple of weeks i'm getting more and more spoofed scans on my
> firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
> a few icmp packets and then a scan for port 53 trying to do a reverse
> lookup for my ip.

How do you know these are spoofed? A lot of (rather silly) load
balancing software fits this signature.

Do the TTLs on the packets look "correct?" That is, if you traceroute
back to the sources, do you see the same (or very close) number of
hops? If all the packets have the same TTL, yes, they are probably
spoofed from one machine. If most of the TTLs don't agree with the
actual number of hops, it is probably spoofed from one machine, but
the spoofing software randomizes the initial TTL. If most or all of
the TTLs look good, they probably are not spoofed.
-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com