RE: Spider with improbable IP address

From: k levinson (levinson_k_at_yahoo.com)
Date: 10/15/04

  • Next message: Jobe Bittman: "RE: Spider with improbable IP address" 
    Date: Fri, 15 Oct 2004 10:29:27 -0700 (PDT)
To: incidents@securityfocus.com

    It could be either. .0 can be a valid IP address.
    Not every subnet out there is an even /24 class C
    subnet starting and ending at .0 and .255

    Spoofing an invalid source IP address in successful
    TCP sessions is problematic. You're right that the
    fact that you're getting HTTP requests in your web
    log, presumably following a successful TCP handshake,
    suggests that this may not be spoofing.

    The usual IP lookup tools such as whois and nslookup
    should be able to help you confirm whether this IP is
    a valid spider host.

    - karl levinson

    > -----Original Message-----
    > From: Ed Wittmann [mailto:wittmann@sae.org]
    > Sent: Thursday, October 14, 2004 2:14 PM
    > To: incidents@securityfocus.com
    > Subject: Spider with improbable IP address

    > xxx.xxx.xxx.0
    >
    >
    > Now, I was under the assumption that you can't send
    and
    > receive on this address

    > Could someone cure my ignorance? Is this spoofing?
    It doesn't
    > seem like source spoofing since the reply is clearly
    going
    > back to the same IP address.

                    
    _______________________________
    Do you Yahoo!?
    Declare Yourself - Register online to vote today!
    http://vote.yahoo.com

  • Next message: Jobe Bittman: "RE: Spider with improbable IP address"