Re: IP spoofing

[Jose Maria Lopez <jkerouac () bgsec com>]

El jue, 07 de 10 de 2004 a las 21:01, Aguiar Magalhaes escribió:
> Hi snorters,
>
> I'm receiving a lot of PING NMAP alerts... The source
> IPs  are spoofed
>
> How can I to know the true source IP of these attacks
> ??
>
> Please, help me ...

If the machine that it's pinging you is spoofing the source
address it's very likely that it's using decoys (nmap -D) to
ping you. You can try to check the TTL of the packets and
something like GeoIP to see if the IP it's coming from the
place it should be. Have in mind that I never tried to do so,
so it's just a guess.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users