In our educational Class B (obfuscated as 299.299.0.0/16 below), we've seen a much higher than normal incidence, 1. in the last week or two, of what appear to be smurf attempts, e.g. (mildly filtered Cisco syslogs): Feb 28 19:29:55 tcp 217.59.20.181(21) -> 299.299.0.255(21), 1 packet Feb 28 19:29:58 tcp 217.59.20.181(21) -> 299.299.1.255(21), 1 packet Feb 28 19:30:00 tcp 217.59.20.181(21) -> 299.299.2.255(21), 1 packet : : Feb 28 19:37:07 tcp 217.59.20.181(21) -> 299.299.248.255(21), 1 packet Feb 28 19:37:10 tcp 217.59.20.181(21) -> 299.299.250.255(21), 1 packet Feb 28 19:37:16 tcp 217.59.20.181(21) -> 299.299.253.255(21), 1 packet 2. in the last three days, of indications of our address space being spoofed in huge quantity, presumably as part of DoS, decoy scanning, or other nastiness, e.g. (tcpdump -vv of Snort binary logs, in many cases implying "stimulus" hosts that don't exist in out network [subnets 108 and 93 are unallocated within our Class B]): 02/28 16:06:33.293696 208.184.231.250 > 299.299.108.141: icmp: host 207.78.169.4 unreachable for 299.299.108.141.1171 > 207.78.169.4.1024: [|tcp] (DF) (ttl 123, id 38089, len 48) (ttl 248, id 0, len 56) 02/28 16:06:52.377804 208.184.231.250 > 299.299.93.170: icmp: host 207.78.169.4 unreachable for 299.299.93.170.1170 > 207.78.169.4.1219: [|tcp] (DF) (ttl 123, id1165, len 48) (ttl 248, id 0, len 56) Has anyone seen similar behavior? -g -- Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-) glrattat_private http://www.io.com/~glratt There are imaginary bugs to chase in heaven. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 08:33:13 PST