Re: Ip spoof from

From: Pavel Kankovsky (
Date: 11/06/02

From: "Pavel Kankovsky" <>
Date: Wed, 6 Nov 2002 01:34:51 +0100 (CET)

On Mon, 4 Nov 2002, Ingersoll, Jared wrote:

> Nov 1 01:42:44 2U: Nov 01 2002 01:50:32: %PIX-2-106016: Deny IP
> spoof from ( to x.x.x.5

We're seeing them too, since Nov 1 03:30 GMT, approx. 150 per a day.
TCP SYNs to port 445 on different IPs. An interesting detail is that all
of them have IP ID == 256. TTL appears to vary between 108 and 113.

--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

Relevant Pages

  • RE: ICMP (Ping)
    ... Why do you assume that out of millions of Ips that respond, ... > almost) running a port scan those that reply. ... replies from a ping request. ... IP ranges with no target in mind, ...
  • RE: IPS and Trunking
    ... Cisco does offer an "IPS on a stick" feature and is what the OP is ... You create another vlan on the switch. ... You convert one of the ports to a trunk port and plug the IPS ...
  • Re: Port Scanning
    ... Most IPS admins do not block port scans. ... > essentially adding rules that the attacker has ... > customer works primarily with a particular remote ...
  • Re: Port watching tool
    ... Active Ports only shows one connection to port 25 (which I am trying to ... I am finding certain IPs to be ... generating large numbers of SMTP connections to the server, ... Symantec is the Diamond sponsor. ...
  • Re: Source Port 0 Host Sweep
    ... I had seen applications request port 0 when they really wanted the ... I have about 4 or 5 different internal IPs that are behaving this way. ... > I'm not sure if this applies in your case, however I've seen ACK ...