[Snort-users] IP spoofing

Matt Kettler mkettler at ...4108...
Thu Oct 7 14:54:01 EDT 2004

At 03:01 PM 10/7/2004, Aguiar Magalhaes wrote:
>I'm receiving a lot of PING NMAP alerts... The source
>IPs  are spoofed
>How can I to know the true source IP of these attacks

Correction: how can you know the true source of these packets.. to 
characterize them as attacks is incorrect. You're not being attacked, 
you're being probed, and such probes can be legitimate, or not. They 
clearly aren't gaining access to your servers this way, or disabling your 
network, so it's not an attack.

The packets will have to be tracked back to their source on a 
router-by-router basis. Once you track it back to your internet connection 
your options are quite limited. Unless it's very serious, it's a lot of 
work and you're not likely to get that much help from all the internet 
backbone operators to track down something as trivial as the source of a 
ICMP ping packet. If you were facing a sustained DOS flood of them, maybe, 
but less than 10,000 per hour, no.

More information about the Snort-users mailing list