RE: Spoofed scans

["Paul M. Tiedemann" <vandp () mindspring com>]

A couple of words on spoofing should be mentioned.  Spoofing is almost
always associated with dos attacks because the very act of spoofing means
that they will not be receiving any packets back to their real ip address.
I know there are ways to use spoofing to obscure the scanning machine but
usually one of the ip addresses is the offender.  If you think the process
through with port scanning it just doesn't make sense that the originating
machine would not wish to receive any information about what ports are open
on your machine.  That being said I think that if you are actually being
port scanned you will find that one of the ip addresses you will see is the
originating machine.

-----Original Message-----
From: Richard Arends [mailto:richard () unixguru nl]
Sent: Sunday, January 06, 2002 6:41 AM
To: incidents () securityfocus com
Subject: Spoofed scans


Hello,

Last couple of weeks i'm getting more and more spoofed scans on my
firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
a few icmp packets and then a scan for port 53 trying to do a reverse
lookup for my ip.

Are there more seeing this type off scans and is there a way to substract
the real scanner (ip) from the list ip's ???

Greetings,

Richard.

----
An OS is like swiss cheese, the bigger it is, the more holes you get!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com