-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 08:05 AM 5/23/2002, Mark Hippenstiel wrote: > >as far as I observed this is fairly common. There are a number of people >out there who on a regular basis try to break into systems. Those attempts >are detected as well-known, half and full scan attempts. It is a good >advise to check the security of your setup as you are in fact a target of >an intrusion attempt. > >But as long as everything's save in this respect, you can relax and let >your system be port-scanned, nothing else will happen there. You wouldn't >want to waste your time running after these events only to find out that >the source ip was spoofed. This is not necessarily true- it depends on what you mean by "spoofed" in this case. If you mean "spoofed" as in the port scan being proxied through another server somewhere, then yes it will be hard to track down the orignal IP- but you would still be able to locate the box where the packets are originating. If you mean "spoofed" as in the network layer IP address has been changed in the stack, as in it reporting something like "192.168.1.1" then it probably isn't a real port scan- remember that any connection attempt involving a 3-way shake or any result set returned can't be spoofed- the packets would never make it back to the originating machine. Of course the exception is local sniffable traffic, but that is not what we are talking about here. > >Question for the experts: would there be any method of gathering more >information about the attacker (including spoofed IPs) that could be >automated? I don't know exactly which information could be considered >useful - but surely this is a common demand among firewall admins, no? > You can certainly write a perl script or other method to look up this info, but the reality is that you are basically under constant attack all the time. Port scans and script kiddies probing for sploits are a fact of life- you can either get all caught up in it and get frustrated trying to track down 16 year olds, or you can properly configure your systems and ignore the noise. For the most part, I choose the latter. AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPO0Mr4hsmyD15h5gEQLoGwCeJqtFTkpbq+NhQJlrfooG93QkuR4AnjT+ GBP3R8NvD7RfKOGV+GV4Ns+h =Ndbw -----END PGP SIGNATURE-----