Security Incidents mailing list archives
RE: Spoofed scans
From: "Paul M. Tiedemann" <vandp () mindspring com>
Date: Mon, 7 Jan 2002 19:53:08 -0500
A couple of words on spoofing should be mentioned. Spoofing is almost always associated with dos attacks because the very act of spoofing means that they will not be receiving any packets back to their real ip address. I know there are ways to use spoofing to obscure the scanning machine but usually one of the ip addresses is the offender. If you think the process through with port scanning it just doesn't make sense that the originating machine would not wish to receive any information about what ports are open on your machine. That being said I think that if you are actually being port scanned you will find that one of the ip addresses you will see is the originating machine. -----Original Message----- From: Richard Arends [mailto:richard () unixguru nl] Sent: Sunday, January 06, 2002 6:41 AM To: incidents () securityfocus com Subject: Spoofed scans Hello, Last couple of weeks i'm getting more and more spoofed scans on my firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send a few icmp packets and then a scan for port 53 trying to do a reverse lookup for my ip. Are there more seeing this type off scans and is there a way to substract the real scanner (ip) from the list ip's ??? Greetings, Richard. ---- An OS is like swiss cheese, the bigger it is, the more holes you get! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Spoofed scans Richard Arends (Jan 06)
- Re: Spoofed scans James (Jan 06)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans James (Jan 07)
- Re: Spoofed scans Will Aoki (Jan 07)
- RE: Spoofed scans Bojan Zdrnja (Jan 07)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans Gideon Lenkey (Jan 07)
- Re: Spoofed scans Crist J. Clark (Jan 07)
- Re: Spoofed scans Richard Arends (Jan 07)
- RE: Spoofed scans Paul M. Tiedemann (Jan 08)
- Re: Spoofed scans Dave Ryan (Jan 08)
- RE: Spoofed scans Gideon Lenkey (Jan 08)
- <Possible follow-ups>
- RE: Spoofed scans Joshua Wright (Jan 09)
- RE: Spoofed scans Jose Nazario (Jan 09)
- Re: Spoofed scans James (Jan 06)