RE: RES: RE: IP SCAN

• From: "Deus, Attonbitus" <Thor@xxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>, "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 23 May 2002 08:37:19 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 08:05 AM 5/23/2002, Mark Hippenstiel wrote:
>
>as far as I observed this is fairly common. There are a number of people 
>out there who on a regular basis try to break into systems. Those attempts 
>are detected as well-known, half and full scan attempts. It is a good 
>advise to check the security of your setup as you are in fact a target of 
>an intrusion attempt.
>
>But as long as everything's save in this respect, you can relax and let 
>your system be port-scanned, nothing else will happen there. You wouldn't 
>want to waste your time running after these events only to find out that 
>the source ip was spoofed.

This is not necessarily true- it depends on what you mean by "spoofed" in 
this case.  If you mean "spoofed" as in the port scan being proxied through 
another server somewhere, then yes it will be hard to track down the 
orignal IP- but you would still be able to locate the box where the packets 
are originating.  If you mean "spoofed" as in the network layer IP address 
has been changed in the stack, as in it reporting something like 
"192.168.1.1" then it probably isn't a real port scan- remember that any 
connection attempt involving a 3-way shake or any result set returned can't 
be spoofed- the packets would never make it back to the originating 
machine.  Of course the exception is local sniffable traffic, but that is 
not what we are talking about here.

>
>Question for the experts: would there be any method of gathering more 
>information about the attacker (including spoofed IPs) that could be 
>automated? I don't know exactly which information could be considered 
>useful - but surely this is a common demand among firewall admins, no?
>

You can certainly write a perl script or other method to look up this info, 
but the reality is that you are basically under constant attack all the 
time.  Port scans and script kiddies probing for sploits are a fact of 
life- you can either get all caught up in it and get frustrated trying to 
track down 16 year olds, or you can properly configure your systems and 
ignore the noise.  For the most part, I choose the latter.

AD



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPO0Mr4hsmyD15h5gEQLoGwCeJqtFTkpbq+NhQJlrfooG93QkuR4AnjT+
GBP3R8NvD7RfKOGV+GV4Ns+h
=Ndbw
-----END PGP SIGNATURE-----

Other related posts:

• » RES: RE: IP SCAN
• » RE: RES: RE: IP SCAN
• » RE: RES: RE: IP SCAN
• » RE: RES: RE: IP SCAN
• » RE: RES: RE: IP SCAN

1. Home
2. isalist
3. Archive
4. 05-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---