Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Re:

To: [email protected]
Subject: [FW1] Re:
From: [email protected]
Date: Fri, 20 Oct 2000 23:23:44 +0200 (CEST)
Cc: [email protected]
Sender: [email protected]

You can tell if the source address is genuine by looking at how much of   
the tcp handshake they do. A typical probe (nmap -sS) runs like so:

client -> server: SYN
server -> client: RST
client -> server: FIN

If you get the third packet then you know where they are. They couldn't   
fake it without guessing your tcp sequence number, and that should be  
impossible with any kind of secure OS.

Amanda.

On Fri, 20 Oct 2000, Sterling, Chuck wrote: 
> Gotta question. A few minutes ago we received a minor barrage of probes with
> an apparent source of www.microsoft.com, all four addresses, attempting to
> hit random addresses on our network using ports 1024 and 3072. This has   
> happened before, and often enough to finally make it onto my radar screen.
>  
> The push started at 1:51:28 MDT and ended at 2:18:22, amounting to quite a
> few log entries, all dropped.
>  
> The main question: Is it likely that this is actually originating at
> Microsoft?

Prev by Date: [FW1] Probe, apparently from Microsoft??
Next by Date: RE: [FW1] Securemote behind a NAT device
Previous by thread: [FW1] RE:
Next by thread: [FW1] Re:
Index(es):
- Date
- Thread