RE: RES: RE: IP SCAN
- From: "Mark Hippenstiel" <mark@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 23 May 2002 23:37:30 +0200
> This is not necessarily true- it depends on what you mean by
> "spoofed" in
> this case. If you mean "spoofed" as in the port scan being
> proxied through
> another server somewhere, then yes it will be hard to track down the
> orignal IP- but you would still be able to locate the box
> where the packets
> are originating. If you mean "spoofed" as in the network
> layer IP address
> has been changed in the stack, as in it reporting something like
> "192.168.1.1" then it probably isn't a real port scan-
> remember that any
> connection attempt involving a 3-way shake or any result set
> returned can't
> be spoofed- the packets would never make it back to the originating
> machine. Of course the exception is local sniffable traffic,
> but that is
> not what we are talking about here.
>
Thanks for enlightening me - I admit I lack some of the technical
background there. So, if I understand you right, people may try to cover
their tracks by proxiing thru another server. Any other way of spoofing
wouldn't show any results to the attacker, right?
You say that the originating box could be found out. I had a look after
some port scan once and found out that the originating IP I took from
the logs was behind a firewall of a class C commercial network. So I
mailed the admin to find out about this. He said there was no chance
that someone was in the office at night and had the machine in question
turned on without him finding out. So for me it was clear that someone
used a "spoofed" IP. How do I track down the originator in such a case?
I mean long after the connection is cut of?
> >
> >Question for the experts: would there be any method of gathering more
> >information about the attacker (including spoofed IPs) that could be
> >automated? I don't know exactly which information could be
> considered
> >useful - but surely this is a common demand among firewall
> admins, no?
> >
>
> You can certainly write a perl script or other method to look
> up this info,
> but the reality is that you are basically under constant
> attack all the
> time. Port scans and script kiddies probing for sploits are
> a fact of
> life- you can either get all caught up in it and get
> frustrated trying to
> track down 16 year olds, or you can properly configure your
> systems and
> ignore the noise. For the most part, I choose the latter.
>
> AD
Sure, and this is why I don't worry too much about those eventlog
entries. I merely thought that people operating proxiing servers that
allow spoofed IPs as above should at least be notified. Or somehow
banned if they allowed it deliberately - thinking of the ORBS model for
open relay SMTP servers.
Mark
Other related posts:
