Re: sleath port scanning fix (fwd)

James Mastros (
Tue, 9 Sep 1997 20:16:14 -0400 (EDT)

On Tue, 9 Sep 1997, David Woodhouse wrote:

> said:
> > Printing the source IP isn't a good idea neither, because it can be
> > easily spoofed
> But if they give the wrong IP address, then they'll never get the responses
> they're looking for, and it won't be a very good method of scanning ports.
> Surely it's better to have it there, saying "apparently from IP address
> %d.%d.%d.%d" than not there at all?

That's kind of long, don't you think... Perhaps saying "possible `stealth'
port scanning attempt - hdr FROM %d.%d.%d.%d, port %d" is better, since
admins clueless enough to think that sombody who would do anything that
sounds as cool as stealth port scanning would be so stupid as to not fake
the IP would have to ask what that meens. <G> Anyway, I think that we all
have better things to worry about then whether a clueless admin will assume
to much on a kernel message. BTW - Is there any problem with printing this
warning, but handling the packet by spec anyway?

-=- James Mastros

I can now be reached again at or
  "Shooting as [a] communications method is obsolete even here in Bosnia, so
I'll skip over it."
	-=- Dragisha Durich