Snort mailing list archives
Re: Locate address spoofer?
From: "hackerwacker" <hackerwacker () cybermesa com>
Date: Fri, 13 Sep 2002 12:45:42 -0600
Yes, but it takes a lot of help if the spoof is not local. Cisco "Net-flow" would help. One has to follow the path, backwards, through each router to see which port the spoof came through. Work your way back, router to router, and at some point you will come to the port through the spoofed traffic originates. If it originates from within your AS, this is easy. Just shut down one port at a time and see when the traffic in question stops. Then take a look at the hosts attached to this port. Getting multiple AS's to help in this is difficult. Good luck in convincing other AS's to shut down key ports. However, this can be helpful in telling you how this traffic is getting into your network, if you are multi-homed. It also helps to drop all traffic, incoming, that is not sourced from legit addresses. Bogons are often used as spoofed source addresses. For fun, write some simple rules to look at incoming traffic from 10.0.0/8, 192.168.0.0/16, act. or outgoing sourced or destined to this address space. This is a big problem on the internet. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Locate address spoofer? spyguy (Sep 13)
- Re: Locate address spoofer? hackerwacker (Sep 13)
- Re: Locate address spoofer? creining (Sep 13)