Spoofed scans

From: Richard Arends (richard@unixguru.nl)
Date: 01/06/02

Date: Sun, 6 Jan 2002 12:41:11 +0100 (CET)
From: Richard Arends <richard@unixguru.nl>
To: <incidents@securityfocus.com>


Last couple of weeks i'm getting more and more spoofed scans on my
firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
a few icmp packets and then a scan for port 53 trying to do a reverse
lookup for my ip.

Are there more seeing this type off scans and is there a way to substract
the real scanner (ip) from the list ip's ???



An OS is like swiss cheese, the bigger it is, the more holes you get!

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com