[Snort-users] IP spoofing
mkettler at ...4108...
Thu Oct 7 14:54:01 EDT 2004
At 03:01 PM 10/7/2004, Aguiar Magalhaes wrote:
>I'm receiving a lot of PING NMAP alerts... The source
>IPs are spoofed
>How can I to know the true source IP of these attacks
Correction: how can you know the true source of these packets.. to
characterize them as attacks is incorrect. You're not being attacked,
you're being probed, and such probes can be legitimate, or not. They
clearly aren't gaining access to your servers this way, or disabling your
network, so it's not an attack.
The packets will have to be tracked back to their source on a
router-by-router basis. Once you track it back to your internet connection
your options are quite limited. Unless it's very serious, it's a lot of
work and you're not likely to get that much help from all the internet
backbone operators to track down something as trivial as the source of a
ICMP ping packet. If you were facing a sustained DOS flood of them, maybe,
but less than 10,000 per hour, no.
More information about the Snort-users