Tracking stealth portscan/pepsi attacks

[ Quoting Leigh Porter <leigh at insnet.net> ]:

> As a side note, does anybody use anything to prevent address spoofing in their
> network? That would at prevent a lot of attacks completly and make tracing the
> rest much easier.

We're in a switched network so Spoofing is only possible by
ARP-Hijackiking. To prevent such attacks I've coupled Arpwatch, Hunt
and some selfmade tools to inject NULL-Routes against any source of
more than 30 Flip-Flops in a given time. Until now I only had one
false positive and three false negatives.

jonas