On Monday 08 July 2002 1:14 am, Martin Tomasek wrote: > > I most commonly see it in port scans, and probes for http / sql holes. > > You cannot use random spoofed ip adresses with stateful protocol such as > tcp.
Not if you want the connection to succeed, you can't, no - but if you're just trying to fill up some log files with misleading IP addresses, hoping to disguise the real ones which succeed in connecting, there's no reason you can't use a spoofed address for TCP. > In tcp is possible to do only SYN floods with random ips -- which > could be solved for example by syncookies. > > What you see in portscans or probes are real ips (excluding some > portscan types, which uses "proxy" host). Nmap, one of the commonest port scanners around, typically uses a 'half open SYN scan', and it can be told to liberally pepper the packets sent to the target machine with SYNs from false addresses (false as in they don't belong to the attacker; they may or may not exist as real addresses on some other machine). Only the SYN/ACKs sent back to the real attacker's machine contribute to getting a result on the port scan, but the system being scanned can't tell which ones those are. Antony.
