How to get rid of spoofed IP-Address responses

From: NetWatch (netwatch@sagadc.de)
Date: 05/23/02


Date: Thu, 23 May 2002 22:30:22 +0200
From: "NetWatch" <netwatch@sagadc.de>
To: <focus-linux@securityfocus.com>

Perhaps you can help me out of my trouble.

Since several weeks we are getting SYN responses from Hosts that were
under a DOS attack. The attacker used our IP-Addresses as the spoofed
source IP and Port 80 as the source port.
Everything I can find is how to survive when I am the attacked network.
How can I prevent to get these stupid responses to my network. This is
really annoying. One of the hosts was in the Cerf-Net which is now
handled by AT&T. These people are pretty arrogant and delete every mail
I sent to the administrators of the network just immediately after
arriving.

We had another system identified in Sweden which was powered off and
disconnected. Meanwhile this IP address is gone from our blocking list.

We run SuSE 7.3 with Iptables. Also Snort and are blocking some data
already on our CISCO border router.

I have no idea anymore how to kill these packets.

Any help is really well appreciated.

Thanks to all of you,
Jochen Grotepass
SAGA D.C. GmbH