[Dshield] Scans occurring in large bursts

Stephane Grobety security at admin.fulgan.com
Wed Feb 11 18:22:49 GMT 2004


JRK> Normally, I would think that someone is either nmap-ing us or
JRK> running an open proxy testing program, except for the source IPs
JRK> differ for each probe.

My bet would be that someone is NMapping you using the -D (decoy)
option. In short, it's sending a large range of packets with dummy
source IP (provided by the command-line) in order to hide the one true
IP in the list: the one of the attacker.

That's of course, only a possibility.

Good luck,
Stephane




More information about the list mailing list