-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 02:37 PM 5/23/2002, Mark Hippenstiel wrote: >Thanks for enlightening me - I admit I lack some of the technical >background there. So, if I understand you right, people may try to cover >their tracks by proxiing thru another server. Any other way of spoofing >wouldn't show any results to the attacker, right? In the sense of altering the source address in the stack, yes. But there are many ways of getting another box to do your dirty work for you. Compromise a web server, and have it do automated scans and save the results for you; telnet into a box and scan from there, sit behind a proxy or NAT device, etc. You can even use services like GRC's Shields Up to scan other IP addresses and return the results to you would like. But in all of these cases, the true IP of the box being used to performing the scan will be logged. This is in contrast to say, someone physically spoofing some address in order to cause a DoS or something. >You say that the originating box could be found out. I had a look after >some port scan once and found out that the originating IP I took from >the logs was behind a firewall of a class C commercial network. So I >mailed the admin to find out about this. He said there was no chance >that someone was in the office at night and had the machine in question >turned on without him finding out. So for me it was clear that someone >used a "spoofed" IP. How do I track down the originator in such a case? >I mean long after the connection is cut of? Admins who say things like that are probably the ones doing the scanning ;) And just because he said there is "no chance" does not mean anything. There is only one way to have any reasonable level of confidence that you know everything a box is doing, and that is to turn it off. Other than that, there is always the possibility of compromise. But, you really can't be 100% sure-- There is not much of a reason to spoof what looks like a port scan with someone else's valid IP unless you are trying to cause them grief. A DoS, sure, but short of that it won't accomplish much. If that is really what was going on, there is not much you can do about it. The only real solution I know of to mitigate truly spoofed attacks is for all the ISP's to configure their routers properly by filtering any packets that could not have originated on the network. AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPO1rp4hsmyD15h5gEQId7wCeJPy89zToIYuxv2+pB8ztDiItjLIAoPJu +J0fK0MfIwDSjlR56eiK2M32 =+oXj -----END PGP SIGNATURE-----