-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Be very disturbed that your upstream provider isn't filtering out those spoofed packets; they should not allow the rfc1918 netblocks to or from your network. Seriously, it should be in your contract. Your firewall should also be dropping these packets by default, is your issue the rate at which you are getting hit with traffic so the device is kept busy? - --- Graham "Lorax" Bignell 724 Solutions Inc. - -----Original Message----- From: Konrad Michels [mailto:konradat_private] Sent: Wednesday, August 22, 2001 7:53 AM To: incidentsat_private Subject: 24 hour strobes from 10.0.x.x For the last 24 hours I've had our firewall hammered repeatedly from 10.0.1.1 - 10.0.1.9, all 9 addresses simultaneously going at all ports over 1024, over and over again! Obviously spooofed packet headers - and just as I got annoyed enough to want to start digging a bit deeper, the silly buggers stop! Now isn't that annoying! Anyway, what was interesting about this was also that, if I changed the IP address of the firewall's external interface say one up or one down, the ruddy things followed it! Obviously then whatever it was, was continuously strobing a whole block of IP addresses! Anyone else seen anything like this lately? Later Konrad -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBO4P0wzfvNyvTILx2EQKU9QCff0e5p9FAm6Vm7gJfNr68sIiPI4cAoIx+ 2UGhwI2u5xO5oclMfijIEuEO =14Qu -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 11:51:34 PDT