Since it is completing a TCP handshake, the IP addresses are very likely to be the source of the scan. ISN generation on every modern OS is sufficiently random to prevent opportunistic TCP spoofing from something like a worm. While there are probably some exceptions to this statement, there are too few to be significant. On Tue, 18 May 2004, Doug White wrote: :Now that we know it's Bobax scanning http://isc.sans.org/diary.php do we :know if the source IP's are legit or spoofed? : :====================================== :Our Anti-spam solution works!! :http://www.clickdoug.com/mailfilter.cfm :For hosting solutions http://www.clickdoug.com :http://www.forta.com/cf/isp/isp.cfm?isp_id=1069 :====================================== : : :----- Original Message ----- :From: "Geo." <geoincidents@nls.net> :To: <nanog@merit.edu> :Sent: Tuesday, May 18, 2004 8:15 AM :Subject: Port 5000 : : :: :: We are seeing many customers here probing port 5000 across the network. It :: appears to be some new worm or something but I've had no luck yet in :: figuring out what it is except to say norton AV detects nothing yet. :: :: Anyone have a clue? :: :: http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab :: c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query :: :: the jump in traffic is obvious. :: :: Geo. :: :: :: : -- James Reid, CISSP