Security Incidents mailing list archives

Re: Spoofed scans

From: Dave Ryan <dave.ryan () eircom net>
Date: Tue, 8 Jan 2002 16:08:30 +0000

Paul M. Tiedemann said the following on Mon, Jan 07, 2002 at 07:53:08PM -0500, 
[snip]

If you think the process
through with port scanning it just doesn't make sense that the originating
machine would not wish to receive any information about what ports are open
on your machine.  That being said I think that if you are actually being
port scanned you will find that one of the ip addresses you will see is the
originating machine.


Not always true. If an upstream host was compromised, you could use agent
systems to scan and have the compromised host sniff the return packets, by
using perishable zombies you can avoid detection of the host which is
collecting the data.

-- 
Dave Ryan                       Security Advisor        
dave.ryan () eircom net Computer Incident Response Team 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Spoofed scans Richard Arends (Jan 06)
- Re: Spoofed scans James (Jan 06)
  - RE: Spoofed scans Philip Wagenaar (Jan 07)
    - Re: Spoofed scans James (Jan 07)
    - Re: Spoofed scans Will Aoki (Jan 07)
  - RE: Spoofed scans Bojan Zdrnja (Jan 07)
- Re: Spoofed scans Gideon Lenkey (Jan 07)
- Re: Spoofed scans Crist J. Clark (Jan 07)
  - Re: Spoofed scans Richard Arends (Jan 07)
- RE: Spoofed scans Paul M. Tiedemann (Jan 08)
  - Re: Spoofed scans Dave Ryan (Jan 08)
  - RE: Spoofed scans Gideon Lenkey (Jan 08)
- <Possible follow-ups>
- RE: Spoofed scans Joshua Wright (Jan 09)
  - RE: Spoofed scans Jose Nazario (Jan 09)