[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Re:
You can tell if the source address is genuine by looking at how much of the tcp handshake they do. A typical probe (nmap -sS) runs like so: client -> server: SYN server -> client: RST client -> server: FIN If you get the third packet then you know where they are. They couldn't fake it without guessing your tcp sequence number, and that should be impossible with any kind of secure OS. Amanda. On Fri, 20 Oct 2000, Sterling, Chuck wrote: > Gotta question. A few minutes ago we received a minor barrage of probes with > an apparent source of www.microsoft.com, all four addresses, attempting to > hit random addresses on our network using ports 1024 and 3072. This has > happened before, and often enough to finally make it onto my radar screen. > > The push started at 1:51:28 MDT and ended at 2:18:22, amounting to quite a > few log entries, all dropped. > > The main question: Is it likely that this is actually originating at > Microsoft?
|