> I most commonly see it in port scans, and probes for http / sql holes.
You cannot use random spoofed ip adresses with stateful protocol such as tcp. In tcp is possible to do only SYN floods with random ips -- which could be solved for example by syncookies. What you see in portscans or probes are real ips (excluding some portscan types, which uses "proxy" host). -- Martin Tomasek, [EMAIL PROTECTED] BOFH excuse #293: You must've hit the wrong anykey.
msg04665/pgp00000.pgp
Description: PGP signature
