[Snort-users] IP spoofing

Jose Maria Lopez jkerouac at ...12346...
Sun Oct 10 07:01:34 EDT 2004


El jue, 07 de 10 de 2004 a las 21:01, Aguiar Magalhaes escribió:
> Hi snorters,
> 
> I'm receiving a lot of PING NMAP alerts... The source
> IPs  are spoofed
> 
> How can I to know the true source IP of these attacks
> ??
> 
> Please, help me ...

If the machine that it's pinging you is spoofing the source
address it's very likely that it's using decoys (nmap -D) to
ping you. You can try to check the TTL of the packets and
something like GeoIP to see if the IP it's coming from the
place it should be. Have in mind that I never tried to do so,
so it's just a guess.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"





More information about the Snort-users mailing list