Security Incidents mailing list archives
RE: Spider with improbable IP address
From: k levinson <levinson_k () yahoo com>
Date: Fri, 15 Oct 2004 10:29:27 -0700 (PDT)
It could be either. .0 can be a valid IP address. Not every subnet out there is an even /24 class C subnet starting and ending at .0 and .255 Spoofing an invalid source IP address in successful TCP sessions is problematic. You're right that the fact that you're getting HTTP requests in your web log, presumably following a successful TCP handshake, suggests that this may not be spoofing. The usual IP lookup tools such as whois and nslookup should be able to help you confirm whether this IP is a valid spider host. - karl levinson
-----Original Message----- From: Ed Wittmann [mailto:wittmann () sae org] Sent: Thursday, October 14, 2004 2:14 PM To: incidents () securityfocus com Subject: Spider with improbable IP address
xxx.xxx.xxx.0 Now, I was under the assumption that you can't send
and
receive on this address
Could someone cure my ignorance? Is this spoofing?
It doesn't
seem like source spoofing since the reply is clearly
going
back to the same IP address.
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
Current thread:
- Spider with improbable IP address Ed Wittmann (Oct 15)
- Re: Spider with improbable IP address insecure (Oct 15)
- Re: Spider with improbable IP address Bennett Todd (Oct 15)
- Re: Spider with improbable IP address Ric Messier (Oct 18)
- Re: Spider with improbable IP address Bennett Todd (Oct 18)
- Re: Spider with improbable IP address Ric Messier (Oct 18)
- <Possible follow-ups>
- RE: Spider with improbable IP address k levinson (Oct 15)
- RE: Spider with improbable IP address Jobe Bittman (Oct 15)