Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Spoofed Address.

  1. #1
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Question Spoofed Address.

    This probably belongs in the newbie questions section, but here goes. I got someone poking around in my DMZ that is spoofing localhost (127.0.0.1), Now the firewall is blocking all his/her probes, but my question, is their anyway to determine the "real" IP address?

    Thanks
    DjM

  2. #2
    Is this a multi-user network your administering or a home setup.
    [gloworange]
    find /home/$newbie -name *? | www.google.com 2>/dev/null
    [/gloworange]

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by extremez
    Is this a multi-user network your administering or a home setup.

    multi-user corporate network.

    Cheers:
    DjM

  4. #4
    At this point is a local user still a suspect? If they are it would be easy to put a sniffer on the local network and search for probes of this type.
    [gloworange]
    find /home/$newbie -name *? | www.google.com 2>/dev/null
    [/gloworange]

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by extremez
    At this point is a local user still a suspect? If they are it would be easy to put a sniffer on the local network and search for probes of this type.
    According to what I am looking at in my firewall, these probes are inbound from the internet and are not originating from my LAN/WAN.
    DjM

  6. #6
    That's a start, BTW what firewall are you using if you don't mind telling?
    [gloworange]
    find /home/$newbie -name *? | www.google.com 2>/dev/null
    [/gloworange]

  7. #7
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by extremez
    That's a start, BTW what firewall are you using if you don't mind telling?
    Checkpoint NG

    The probes are:

    Source port = HTTP
    Protocol = TCP
    Destination port = Various


    Cheers:
    DjM

  8. #8
    Can you determine if this is probing or more of a DOS attack, where the attacker tries to open up tons of dud connections, or get the server stuck in a localhost-loop? With a spoofed ip connection like this, that's not meant to be returned to the sender, it pretty hard to do any tracing, you could report the traffic to your ISP and that's about it, an advanced spoof where they use redirects and what not, so that the traffic does return to them(indirectly) then you have something to work with, most spoofed attacks though, are by brainless skiddies who don't understand that if they use some spoofing software to hide their IP address, the target has no way of responding, thus making their probes worthless.
    [gloworange]
    find /home/$newbie -name *? | www.google.com 2>/dev/null
    [/gloworange]

  9. #9
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by extremez
    Can you determine if this is probing or more of a DOS attack
    Well if it is a DOS, it's not very effective

    We're going to setup a sniffer in the DMZ for a while and see what that will give us. I am not sure our ISP is going to be much help, we are in the process of switching providers and our current ISP is a little pissed at us for not renewing them.


    Cheers:
    DjM

  10. #10
    That would hamper relations.

    I thought you said your firewall was blocking all attempts? Are they making it through to your DMZ??
    [gloworange]
    find /home/$newbie -name *? | www.google.com 2>/dev/null
    [/gloworange]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •