You can tell if the source address is genuine by looking at how much of
the tcp handshake they do. A typical probe (nmap -sS) runs like so:
client -> server: SYN
server -> client: RST
client -> server: FIN
If you get the third packet then you know where they are. They couldn't
fake it without guessing your tcp sequence number, and that should be
impossible with any kind of secure OS.
Amanda.
On Fri, 20 Oct 2000, Sterling, Chuck wrote:
> Gotta question. A few minutes ago we received a minor barrage of probes with
> an apparent source of www.microsoft.com, all four addresses, attempting to
> hit random addresses on our network using ports 1024 and 3072. This has
> happened before, and often enough to finally make it onto my radar screen.
>
> The push started at 1:51:28 MDT and ended at 2:18:22, amounting to quite a
> few log entries, all dropped.
>
> The main question: Is it likely that this is actually originating at
> Microsoft?
