Security Incidents mailing list archives
Re: Scans From 192.168.0.134
From: Alan Hannan <alan () ROUTINGLOOP COM>
Date: Thu, 1 Feb 2001 08:44:36 -0800
NMAP allows one to send bogus source IP addresses along w/ real prbes to obfuscate the source. Could it be that these scans are mated with other IP addresses? -alan Thus spake Douglas P. Brown (Doug () UNC EDU) on or about Thu, Feb 01, 2001 at 10:29:57AM -0500:
We are somewhat preplexed - Our IDS reported 8000+ SYN FIN scans from a non-routable address (192.168.0.134) to thousands of ours hosts yesterday. Our IDS setup is only seeing traffic that traverses our main router. Has anyone seen this before? Am I missing something? Any advice or direction you can offer would be greatly appreciated. Cheers, -DpB -- Douglas P. Brown University of North Carolina I.T. Security Consultant 105 Abernethy Hall
Current thread:
- Scans From 192.168.0.134 Douglas P. Brown (Feb 01)
- Re: Scans From 192.168.0.134 Alan Hannan (Feb 01)
- Re: Scans From 192.168.0.134 Jon O. (Feb 01)
- Re: Scans From 192.168.0.134 Daniel Martin (Feb 01)
- Update: Scans From 192.168.0.134 Douglas P. Brown (Feb 01)
- Re: Scans From 192.168.0.134 Russell Fulton (Feb 01)
- Re: Scans From 192.168.0.134 Daniel Martin (Feb 02)
- <Possible follow-ups>
- Re: Scans From 192.168.0.134 James Crooks (Feb 01)
- Re: Scans From 192.168.0.134 Alan Hannan (Feb 01)