RE: Ping Scan

[Frank Knobbe <FKnobbe () KnobbeITS com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Fernando Cardoso [mailto:fernando.cardoso () whatevernet com]
> Sent: Monday, September 17, 2001 3:32 AM
>
> I don't think you should be looking for a ping scan tool. 
> From the data you
> sent, it seems that the box x.x.x.x tried to connect to 
> 202.46.194.5 on port
> TCP 32165 and, [...]


Fernando (and others),

these packets can not be response packets to anything originating
from my network since there IS NO HOST ON X.X.X.X. 
A discussion last night with Chris Morrow seems to be closer on
track. I've been receiving these packets from about 40 different
hosts, with the destination host varying (for the most part, again,
unassigned IP's). These packets appear to be responses from a
syn-flooded system with spoofed addresses (mine...*sigh*). This would
explain the randomness of source/dest IP and time.

I've seen these 'unreachables' (from/to non-existent hosts) before,
but attributed them to a scan, rather than an attack.

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBO6YACZytSsEygtEFEQI/0wCfangngYBeMUtCBHLLOC8VzIxnEV8AoKbp
7IykEqUVlKO63UkWci8ROvw9
=OC6e
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com