nanog mailing list archives
Re: Very peculiar Telnet probing (possibly spoofed?)
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Thu, 09 Sep 2004 06:24:03 -0400
On Thu, 2004-09-09 at 01:48, Jeff Kell wrote:
I suspect but cannot prove that the packets are being spoofed as we are dropping (not resetting) the probes, yet they continue. There are repeated probes from the same IP address for about 15-20 minutes or more, then it moves along, but the resulting router logs blocking them looks initially random (from SE Asia sites).
Could be an idle scan. If so, that would mean each of these sources are just quiet hosts being leveraged by the real attacker. Easiest way to tell is to return a SYN/ACK and look for TTL variances between the original SYN and the resulting ACK. My experience has been you all also see discrepancies in the IP ID. The SYN packets will be non-predictable while the ACK packets will be predictable. If it is an idle scan, the only way (I'm aware of) to identify the real attacker is to work with the admin for the source IP. They'll see some IP address probing the source IP at about the same interval you are seeing the probes. _That_ source IP is the one you want to go after. HTH, Chris
Current thread:
- Re: Spammers Skirt IP Authentication Attempts, (continued)
- Re: Spammers Skirt IP Authentication Attempts Richard Welty (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Mark Jeftovic (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Rich Kulawiec (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Michael . Dillon (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Richard Cox (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Suresh Ramasubramanian (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 08)
- Very peculiar Telnet probing (possibly spoofed?) Jeff Kell (Sep 08)
- Re: Very peculiar Telnet probing (possibly spoofed?) Suresh Ramasubramanian (Sep 08)
- Re: Very peculiar Telnet probing (possibly spoofed?) Chris Brenton (Sep 09)
- Re: Spammers Skirt IP Authentication Attempts Mark Jeftovic (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts [operational content at end] Rich Kulawiec (Sep 09)
- Re: Spammers Skirt IP Authentication Attempts Daniel Reed (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)
- Re: Spammers Skirt IP Authentication Attempts Joe Rhett (Sep 10)
- Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)