Firewall Wizards mailing list archives
Re: Spoofed source IP in scans (decoys) - what to do?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 29 Nov 1999 14:27:49 -0600 (CST)
parse yer logs for a duplicate ip from each of the scans, it I recall the 'spoofing' in namoap is really not that deep, it spoofs like every 10th address or so, so a common entry should be perhaps gleened if they are using the namap default 'spoofing' modes... Thanks, Ron DuFresne On Fri, 26 Nov 1999, Niloc wrote:
Hi, I have had quite a few scans occuring on a host lately and the scanning method includes the use of "decoys" (in nmap) or spoofed source IP addresses. Of course my problem is that I don't want to blindly deny traffic from all the source IP addresses that appear to be scanning me since I might block legetimate traffic from them. I am wondering what my alternatives are? What would be a good method to find out which IP is really scanning me? Thanks for your help. Niloc.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
Current thread:
- Spoofed source IP in scans (decoys) - what to do? Niloc (Nov 29)
- Re: Spoofed source IP in scans (decoys) - what to do? R. DuFresne (Nov 30)
- <Possible follow-ups>
- RE: Spoofed source IP in scans (decoys) - what to do? Wyatt, Anthony (Nov 30)