Re: Spoofed scans

From: Richard Arends (richard@unixguru.nl)
Date: 01/07/02

• Previous message: James: "Re: Spoofed scans"
• Maybe in reply to: Richard Arends: "Spoofed scans"
• Next in thread: Paul M. Tiedemann: "RE: Spoofed scans"
• Next in thread: Gideon Lenkey: "Re: Spoofed scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 7 Jan 2002 14:11:59 +0100 (CET)
From: Richard Arends <richard@unixguru.nl>
To: <cjclark@alum.mit.edu>

On Sun, 6 Jan 2002, Crist J. Clark wrote:

> How do you know these are spoofed? A lot of (rather silly) load
> balancing software fits this signature.

I suspect it, because it doesn't look something a device or piece off
software would do and nothing listens on port 53.

> Do the TTLs on the packets look "correct?" That is, if you traceroute
> back to the sources, do you see the same (or very close) number of
> hops? If all the packets have the same TTL, yes, they are probably
> spoofed from one machine.

There's a little difference in de TTLs.

> If most of the TTLs don't agree with the actual number of hops, it is
> probably spoofed from one machine, but the spoofing software
> randomizes the initial TTL.

I didn't traceroute all the ip's, but the ip's i traced where allmost
matching the TTL.

> If most or all of the TTLs look good, they probably are not spoofed.

Hmm. It happens often last couple of weeks from different ip's.

Greetings,

Richard.

----
An OS is like swiss cheese, the bigger it is, the more holes you get!
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: James: "Re: Spoofed scans"
• Maybe in reply to: Richard Arends: "Spoofed scans"
• Next in thread: Paul M. Tiedemann: "RE: Spoofed scans"
• Next in thread: Gideon Lenkey: "Re: Spoofed scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Traces ... Coorelating TTL is how the hunt for timex.0 at sans was set up. ... There is a great writeup in Stephen Northcutt's 'Network ... Using TTL and the perfect Internet map you can figure out a set of routers ... which are n hops away from you. ... (Security-Basics) Re: Ping, traceroute and ttl? ... One of my main concerns is ttl. ... > hops a package is allowed to make before being discarded? ... > i use ping i get the following: ... trying to ascertain the bottleneck/problem in the route to the host - if the ... (comp.os.linux) Re: Unterschiedliche Ergebnisse bei Traceroute ... dass alle Drei Probes mit dieser TTL (linke ... Zahl) keine Antwort - weder vom Ziel noch einem router unterwegs) ... Der Zielrechner ist 4 Hops entfernt. ... traceroute to remotehost, 30 hops max, 40 byte packets ... (de.comp.os.unix.networking.misc) Re: Traces ... I just pointed out to the original poster that he could use TTL ... triangulation to infer which router the attacker is attached to. ... >hops on a corporate network might be manageable, ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. ... (Security-Basics) Re: Receiving constant hits from random hosts ... > squids port is), and all of these are hourly, almost as if someone has ... The only way to really tell if an IP is not spoofed is to look at the TTL. ... using is 128 and they are 17 hops away from you. ... If an attacker scans you ... (Focus-Linux)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)