[Dshield] Concerning ssh brute force attacks: Are the IP adresses spoofed?

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Mon Aug 22 18:29:22 GMT 2005


On Mon, 22 Aug 2005 10:32:26 +0530, Chandan said:
> To find out the exact information use Traceroute command to find the
> route of ip address  and you can conclude that wether ip is spoofed or
> not. and hping command to find out the sequesnce no packets.

Umm. No.  It's not rare at all for me to see a SYN/ACK packet show up at my
laptop in response to a SYN that I didn't send.  It's called "backscatter".

If you traceroute to my laptop, you'll find out *A* path from your site to my
laptop (note that traceroute *can* get it wrong if there's an asymmetric path
or a routing flap).  That doesn't mean that the original problem packet wasn't
launched by a machine in Poland or someplace.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050822/19d5e189/attachment.bin


More information about the list mailing list