[Snort-users] Locate address spoofer?

creining at ...6890... creining at ...6890...
Fri Sep 13 18:21:11 EDT 2002

If you suspect a spoofer, one quick test to confirm/deny is to use the
utility despoof by Simple Nomad (http://razor.bindview.com/tools). You
can compare the TTL logged with a packet with the TTL you receive from
despoof.  If an attacker is spoofing a packet, the TTL in that packet
will not be the correct TTL of one created _at_ that address (unless
they are really paranoid and tweak the TTL).

Believe it or not routes do change, so this tool is best utilized asap.


On Fri, 13 Sep 2002 08:20:42 -0700
spyguy <spyguy703 at ...741...> wrote:

> If I suspect a source address has been spoofed, how would I go about
> finding the REAL source of an attack? Is this possible?
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list