We've been seeing the same activity since Wednesday... Looks like our range is being spoofed to attack DNS servers. It's not affecting us at this time. We have also seen an increase in port scans (mostly for squid and other proxy servers) against us from an ap source... Welcome to the wonderful world of the internet... :) Stuart Sheldon Glenn Forbes Fleming Larratt wrote: > > In our educational Class B (obfuscated as 299.299.0.0/16 below), we've > seen a much higher than normal incidence, > > 1. in the last week or two, of what appear to be smurf attempts, e.g. > (mildly filtered Cisco syslogs): > > Feb 28 19:29:55 tcp 217.59.20.181(21) -> 299.299.0.255(21), 1 packet > Feb 28 19:29:58 tcp 217.59.20.181(21) -> 299.299.1.255(21), 1 packet > Feb 28 19:30:00 tcp 217.59.20.181(21) -> 299.299.2.255(21), 1 packet > : > : > Feb 28 19:37:07 tcp 217.59.20.181(21) -> 299.299.248.255(21), 1 packet > Feb 28 19:37:10 tcp 217.59.20.181(21) -> 299.299.250.255(21), 1 packet > Feb 28 19:37:16 tcp 217.59.20.181(21) -> 299.299.253.255(21), 1 packet > > 2. in the last three days, of indications of our address space being > spoofed in huge quantity, presumably as part of DoS, decoy scanning, > or other nastiness, e.g. (tcpdump -vv of Snort binary logs, in many > cases implying "stimulus" hosts that don't exist in out network > [subnets 108 and 93 are unallocated within our Class B]): > > 02/28 16:06:33.293696 208.184.231.250 > 299.299.108.141: icmp: host 207.78.169.4 unreachable for 299.299.108.141.1171 > 207.78.169.4.1024: [|tcp] (DF) (ttl 123, id 38089, len 48) (ttl 248, id 0, len 56) > 02/28 16:06:52.377804 208.184.231.250 > 299.299.93.170: icmp: host 207.78.169.4 unreachable for 299.299.93.170.1170 > 207.78.169.4.1219: [|tcp] (DF) (ttl 123, id1165, len 48) (ttl 248, id 0, len 56) > > Has anyone seen similar behavior? > > -g > -- > Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-) > glrattat_private http://www.io.com/~glratt > There are imaginary bugs to chase in heaven. > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- The early bird who catches the worm works for someone who comes in late and owns the worm farm. -- Travis McGee ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 10:59:55 PST