Re: scans on ports 3072 and 1024, why?

[Simple Nomad <thegnome () NMRC ORG>]

> I thought this was probably the case.  In capturing the traffic
> to<->from dalnet.away.net, there was nothing originating from my net.
> It seemed reasonable that someone was using mine and others networks as
> spoofed source addresses to which dalnet.away.net was responding with
> RST's.  Nice to have confirmation (and correlation).

You can use a tool like despoof, available from http://razor.bindview.com/
in the Tools section under Unix files. Checking the TTL of what dalnet
packets are and comparing it to the suspected spoofed packets means you
can possibly configure your equipment to not respond but drop the packets.
Certainly packets with such an obvious signature should be easy to weed
out from any legitimate traffic from dalnet. Or any other site.

-         Simple Nomad          -     "No rest for the Wicca'd"     -
-      thegnome () nmrc org        -                                   -
-  thegnome () razor bindview com  - www.nmrc.org   razor.bindview.com -