Security Incidents mailing list archives
Re: scans on ports 3072 and 1024, why?
From: Simple Nomad <thegnome () NMRC ORG>
Date: Sun, 31 Dec 2000 17:02:03 -0600
I thought this was probably the case. In capturing the traffic to<->from dalnet.away.net, there was nothing originating from my net. It seemed reasonable that someone was using mine and others networks as spoofed source addresses to which dalnet.away.net was responding with RST's. Nice to have confirmation (and correlation).
You can use a tool like despoof, available from http://razor.bindview.com/ in the Tools section under Unix files. Checking the TTL of what dalnet packets are and comparing it to the suspected spoofed packets means you can possibly configure your equipment to not respond but drop the packets. Certainly packets with such an obvious signature should be easy to weed out from any legitimate traffic from dalnet. Or any other site. - Simple Nomad - "No rest for the Wicca'd" - - thegnome () nmrc org - - - thegnome () razor bindview com - www.nmrc.org razor.bindview.com -
Current thread:
- Re: scans on ports 3072 and 1024, why? Simple Nomad (Dec 31)