FAQ: See http://www.ticm.com/kb/faq/idsfaq.html IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems.. Then email questions to ids-owner@uow.edu.au NOTE: You MUST remove this line from reply messages as it will be filtered. SPAM: DO NOT send unsolicted mail to this list. USUB: email "unsubscribe ids" to majordomo@uow.edu.au --------------------------------------------------------------------------- On Mon, 22 Mar 1999, HD Moore wrote: > Context clues like TTL fields, which are forgeable > previous traffic from one of the source addresses (grepping log files > for http or icmp traffic), which a good attacker wouldn't do, or would spoof similarly > and the more aggressive techniques like determining which if any of > the source addresses are capable of launching nmap. how do you propose to do this? if they were 100 decoy addresses belonging to a several large ISPs' dial-up pools, for example? > A source address belonging to a Windows NT server could be eliminated > quickly, as well as any source addresses matching high-profile web > sites (whitehouse.gov fbi.gov nosc.mil nasa.gov etc..). sure, but again, a good attacker wouldn't do this. bottom line: it's not hard to forge packets. it takes a few more brain cells to forge them convincingly. but i'm still not convinced that any heuristic we can come up with will correctly identify the real source of an nmap -D scan even half of the time. -d. --- http://www.monkey.org/~dugsong/