On Thu, 2004-09-09 at 01:48, Jeff Kell wrote:
I suspect but cannot prove that the packets are being spoofed as we are dropping (not resetting) the probes, yet they continue. There are repeated probes from the same IP address for about 15-20 minutes or more, then it moves along, but the resulting router logs blocking them looks initially random (from SE Asia sites).
Could be an idle scan. If so, that would mean each of these sources are just quiet hosts being leveraged by the real attacker. Easiest way to tell is to return a SYN/ACK and look for TTL variances between the original SYN and the resulting ACK. My experience has been you all also see discrepancies in the IP ID. The SYN packets will be non-predictable while the ACK packets will be predictable. If it is an idle scan, the only way (I'm aware of) to identify the real attacker is to work with the admin for the source IP. They'll see some IP address probing the source IP at about the same interval you are seeing the probes. _That_ source IP is the one you want to go after. HTH, Chris