Re: Odd TCP Probe w/ 192.168.1.* I

Fri, 7 May 1999 18:10:03 -0700 


Whomever is doing the scan is probably spoofing their address.


Carric Dooley
COM2:Interactive Media
http://www.com2usa.com

On Thu, 6 May 1999, Joshua Chamas wrote:

> Hey,
> 
> One of my machines just got probed by a set of IPs
> during the same _TCP_ probe, one of which is an illegal
> 192.168.1.*
> 
> My understanding was that 192.168.1.* addresses wouldn't
> be routable, and that having the probe alternate IPs
> also concerns me.  
> 
> So I wonder what kind of danger there might be here.  
> Could this be some kind of "stealth" probe.  What good 
> would it do a scanner to alternate IP's ?  Is the 
> 192.168.1.* some sort of primer?
> 
> Someone please enlighten me as this challenges my knowledge 
> of IP networking.
> 
> Thanks,
> 
> Joshua
> 
> (2) May  6 20:04:20 bastion ipmon[87]: 20:04:20.104592 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 44 -S
> (1) May  6 20:04:23 bastion ipmon[87]: 20:04:23.065728 iprb @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 44 -S
> (1) May  6 20:04:23 bastion ipmon[87]: 20:04:23.171150 iprb @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -A
> (1) May  6 20:04:23 bastion ipmon[87]: 20:04:23.173108 iprb @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 114 -AP
> (1) May  6 20:04:23 bastion ipmon[87]: 20:04:23.298487 iprb @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -A
> (1) May  6 20:04:31 bastion ipmon[87]: 20:04:30.479423 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> (1) May  6 20:04:40 bastion ipmon[87]: 20:04:40.094519 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> (1) May  6 20:04:59 bastion ipmon[87]: 20:04:59.323681 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> (1) May  6 20:05:38 bastion ipmon[87]: 20:05:37.782541 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to