I was even more perturbed when I called the support line of my upstream provider and the response was "huh?" and, after putting me on hold for a while, "Sorry, there is nothing we can do about it from here - call your account manager"! What our account manager was going to do about it was a little beyond me, but I called her anyway. Her line was busy, so I left a message and have still not been called back! Surprise surprise! Given the raft of problems we've had with our upstream provider to date, I can't say the response was unexpected. Unfortunately, I inherited the firewalls when I got here, and while they are fairly decent ones, they have a windoze only gui (even though the firewall itself is a customised version of Linux & ipchains), which only allows me to deny packets and not drop them. I was busy configuring a Linux box with iptables yesterday to put between the router & the firewall to create a black hole for the packets, but just before I finished, the attack stopped! Go figure! Graham Bignell wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Be very disturbed that your upstream provider isn't filtering out > those spoofed packets; they should not allow the rfc1918 netblocks > to or from your network. Seriously, it should be in your contract. > > Your firewall should also be dropping these packets by default, is > your issue the rate at which you are getting hit with traffic so > the device is kept busy? > > - --- > Graham "Lorax" Bignell > 724 Solutions Inc. > > - -----Original Message----- > From: Konrad Michels [mailto:konradat_private] > Sent: Wednesday, August 22, 2001 7:53 AM > To: incidentsat_private > Subject: 24 hour strobes from 10.0.x.x > > > For the last 24 hours I've had our firewall hammered repeatedly from > 10.0.1.1 - 10.0.1.9, all 9 addresses simultaneously going at all ports > over 1024, over and over again! > > Obviously spooofed packet headers - and just as I got annoyed enough to > want to start digging a bit deeper, the silly buggers stop! Now isn't > that annoying! Anyway, what was interesting about this was also that, > if I changed the IP address of the firewall's external interface say one > up or one down, the ruddy things followed it! Obviously then whatever > it was, was continuously strobing a whole block of IP addresses! > > Anyone else seen anything like this lately? > > Later > Konrad > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.1 > > iQA/AwUBO4P0wzfvNyvTILx2EQKU9QCff0e5p9FAm6Vm7gJfNr68sIiPI4cAoIx+ > 2UGhwI2u5xO5oclMfijIEuEO > =14Qu > -----END PGP SIGNATURE----- > > -- **************************************************** * * * Please note that I will not be in the office * * on Friday 24 August. * * * **************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 10:56:23 PDT