Security Incidents mailing list archives

Re: Scans From 192.168.0.134

From: Alan Hannan <alan () ROUTINGLOOP COM>
Date: Thu, 1 Feb 2001 08:44:36 -0800

  NMAP allows one to send bogus source IP addresses along w/
  real prbes to obfuscate the source.  Could it be that these
  scans are mated with other IP addresses?

  -alan

Thus spake Douglas P. Brown (Doug () UNC EDU)
 on or about Thu, Feb 01, 2001 at 10:29:57AM -0500:

We are somewhat preplexed - Our IDS reported 8000+ SYN FIN scans from a
non-routable address (192.168.0.134) to thousands of ours hosts
yesterday.  Our IDS setup is only seeing traffic that traverses our main
router.  Has anyone seen this before?  Am I missing something?  Any
advice or direction you can offer would be greatly appreciated.

Cheers,
-DpB
--

Douglas P. Brown
University of North Carolina
I.T. Security Consultant
105 Abernethy Hall

Current thread:

Scans From 192.168.0.134 Douglas P. Brown (Feb 01)
- Re: Scans From 192.168.0.134 Alan Hannan (Feb 01)
  - Re: Scans From 192.168.0.134 Jon O. (Feb 01)
- Re: Scans From 192.168.0.134 Daniel Martin (Feb 01)
- Update: Scans From 192.168.0.134 Douglas P. Brown (Feb 01)
- Re: Scans From 192.168.0.134 Russell Fulton (Feb 01)
  - Re: Scans From 192.168.0.134 Daniel Martin (Feb 02)
- <Possible follow-ups>
- Re: Scans From 192.168.0.134 James Crooks (Feb 01)