RE: RES: RE: IP SCAN

• From: "Deus, Attonbitus" <Thor@xxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>, "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 23 May 2002 15:22:31 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 02:37 PM 5/23/2002, Mark Hippenstiel wrote:

>Thanks for enlightening me - I admit I lack some of the technical
>background there. So, if I understand you right, people may try to cover
>their tracks by proxiing thru another server. Any other way of spoofing
>wouldn't show any results to the attacker, right?

In the sense of altering the source address in the stack, yes.  But there 
are many ways of getting another box to do your dirty work for 
you.  Compromise a web server, and have it do automated scans and save the 
results for you; telnet into a box and scan from there, sit behind a proxy 
or NAT device, etc.  You can even use services like GRC's Shields Up to 
scan other IP addresses and return the results to you would like.  But in 
all of these cases, the true IP of the box being used to performing the 
scan will be logged.  This is in contrast to say, someone physically 
spoofing some address in order to cause a DoS or something.

>You say that the originating box could be found out. I had a look after
>some port scan once and found out that the originating IP I took from
>the logs was behind a firewall of a class C commercial network. So I
>mailed the admin to find out about this. He said there was no chance
>that someone was in the office at night and had the machine in question
>turned on without him finding out. So for me it was clear that someone
>used a "spoofed" IP. How do I track down the originator in such a case?
>I mean long after the connection is cut of?

Admins who say things like that are probably the ones doing the scanning ;)

And just because he said there is "no chance" does not mean 
anything.  There is only one way to have any reasonable level of confidence 
that you know everything a box is doing, and that is to turn it off.  Other 
than that, there is always the possibility of compromise.

But, you really can't be 100% sure-- There is not much of a reason to spoof 
what looks like a port scan with someone else's valid IP unless you are 
trying to cause them grief.  A DoS, sure, but short of that it won't 
accomplish much.

If that is really what was going on, there is not much you can do about 
it.  The only real solution I know of to mitigate truly spoofed attacks is 
for all the ISP's to configure their routers properly by filtering any 
packets that could not have originated on the network.

AD


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPO1rp4hsmyD15h5gEQId7wCeJPy89zToIYuxv2+pB8ztDiItjLIAoPJu
+J0fK0MfIwDSjlR56eiK2M32
=+oXj
-----END PGP SIGNATURE-----

Other related posts:

• » RES: RE: IP SCAN
• » RE: RES: RE: IP SCAN
• » RE: RES: RE: IP SCAN
• » RE: RES: RE: IP SCAN
• » RE: RES: RE: IP SCAN

1. Home
2. isalist
3. Archive
4. 05-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---