[Snort-users] Locate address spoofer?

hackerwacker hackerwacker at ...3784...
Fri Sep 13 11:46:03 EDT 2002

Yes, but it takes a lot of help if the spoof is not local.

Cisco "Net-flow" would help. One has to follow the path, backwards, through
each router to see which port
the spoof came through. Work your way back, router to router, and at some
point you will come to the port
through the spoofed traffic originates. If it originates from within your
AS, this is easy. Just shut down one
port at a time and see when the traffic in question stops. Then take a look
at the hosts attached to this port.
Getting multiple AS's to help in this is difficult.  Good luck in convincing
other AS's to shut down key ports.
However, this can be helpful in telling you how this traffic is getting into
your network, if you are multi-homed.

It also helps to drop all traffic, incoming, that is not sourced from legit
addresses. Bogons are often
used as spoofed source addresses. For fun, write some simple rules to look
at incoming traffic from
10.0.0/8,, act. or outgoing sourced or destined to this
address space. This is a big problem on the internet.

More information about the Snort-users mailing list