[Dshield] Concerning ssh brute force attacks: Are the IP adresses spoofed?
Valdis.Kletnieks at vt.edu
Mon Aug 22 18:29:22 GMT 2005
On Mon, 22 Aug 2005 10:32:26 +0530, Chandan said:
> To find out the exact information use Traceroute command to find the
> route of ip address and you can conclude that wether ip is spoofed or
> not. and hping command to find out the sequesnce no packets.
Umm. No. It's not rare at all for me to see a SYN/ACK packet show up at my
laptop in response to a SYN that I didn't send. It's called "backscatter".
If you traceroute to my laptop, you'll find out *A* path from your site to my
laptop (note that traceroute *can* get it wrong if there's an asymmetric path
or a routing flap). That doesn't mean that the original problem packet wasn't
launched by a machine in Poland or someplace.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050822/19d5e189/attachment.bin
More information about the list