[Snort-users] Locate address spoofer?

creining at ...6890... creining at ...6890...
Fri Sep 13 18:21:11 EDT 2002


If you suspect a spoofer, one quick test to confirm/deny is to use the
utility despoof by Simple Nomad (http://razor.bindview.com/tools). You
can compare the TTL logged with a packet with the TTL you receive from
despoof.  If an attacker is spoofing a packet, the TTL in that packet
will not be the correct TTL of one created _at_ that address (unless
they are really paranoid and tweak the TTL).

Believe it or not routes do change, so this tool is best utilized asap.

-Chris

On Fri, 13 Sep 2002 08:20:42 -0700
spyguy <spyguy703 at ...741...> wrote:

> If I suspect a source address has been spoofed, how would I go about
> finding the REAL source of an attack? Is this possible?
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list