Firewall Wizards mailing list archives

Re: Spoofed source IP in scans (decoys) - what to do?

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 29 Nov 1999 14:27:49 -0600 (CST)


parse yer logs for a duplicate ip from each of the scans, it I recall the
'spoofing' in namoap is really not that deep, it spoofs like every 10th
address or so, so a common entry should be perhaps gleened if they are
using the namap default 'spoofing' modes...

Thanks,

Ron DuFresne

On Fri, 26 Nov 1999, Niloc wrote:

Hi,

I have had quite a few scans occuring on a host lately and the scanning
method
includes the use of "decoys" (in nmap) or spoofed source IP addresses.

Of course my problem is that I don't want to blindly deny traffic from
all the source IP addresses that appear to be scanning me since I might
block legetimate traffic from them.

I am wondering what my alternatives are? What would be a good method
to find out which IP is really scanning me?

Thanks for your help.

Niloc.


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

Current thread:

Spoofed source IP in scans (decoys) - what to do? Niloc (Nov 29)
- Re: Spoofed source IP in scans (decoys) - what to do? R. DuFresne (Nov 30)
- <Possible follow-ups>
- RE: Spoofed source IP in scans (decoys) - what to do? Wyatt, Anthony (Nov 30)