Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IP spoofing

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 07 Oct 2004 17:52:39 -0400
At 03:01 PM 10/7/2004, Aguiar Magalhaes wrote:

I'm receiving a lot of PING NMAP alerts... The source
IPs  are spoofed

How can I to know the true source IP of these attacks
??
Correction: how can you know the true source of these packets.. to characterize them as attacks is incorrect. You're not being attacked, you're being probed, and such probes can be legitimate, or not. They clearly aren't gaining access to your servers this way, or disabling your network, so it's not an attack.
The packets will have to be tracked back to their source on a router-by-router basis. Once you track it back to your internet connection your options are quite limited. Unless it's very serious, it's a lot of work and you're not likely to get that much help from all the internet backbone operators to track down something as trivial as the source of a ICMP ping packet. If you were facing a sustained DOS flood of them, maybe, but less than 10,000 per hour, no. 






-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: