On Mon, 2002-02-11 at 21:34, Dave Sherman wrote:
> I already run snort (and have since day one), and it has logged lots of IP
> addresses and blocked them. 

snort doesn't "block" attackers. At least not without a 3d party module
that sets iptables(or ipchains) rules. And it _is_ possible to spoof
ones IP address. It's non-trivial, but can be done. It's a matter of
sending cutom built packets. It's used when attacking servers that are
configured to allow certain hosts access to certain IP addresses. I
don't know the details of such attacks, but I know it's possible. 

Snort is good about having the ability to log such malformed packets and
todays IP stacks are better about ignoring them (there's also packet
checksums that need to be correct as well as sequence numbers) not to
mention things like hogwash...

-- 
Ben Lutgens				http://people.sistina.com/~blutgens/
System Administrator			Sistina Software Inc.	

"If you love someone, set them free. If they come home, set them on
fire."
	- George Carlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020211/ff7dd2d0/attachment.pgp