RE: 24 hour strobes from 10.0.x.x

From: Graham Bignell (gbignell@724.com)
Date: 08/22/01 

Message-ID: <4556B4863D46D5118A6000D0B73EBB572E61DF@inftormail07.724.com>
From: Graham Bignell <gbignell@724.com>
To: 'Konrad Michels' <konrad@overnetdata.com>, incidents@securityfocus.com
Subject: RE: 24 hour strobes from 10.0.x.x
Date: Wed, 22 Aug 2001 14:05:49 -0400

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Be very disturbed that your upstream provider isn't filtering out
those spoofed packets; they should not allow the rfc1918 netblocks
to or from your network. Seriously, it should be in your contract.

Your firewall should also be dropping these packets by default, is
your issue the rate at which you are getting hit with traffic so
the device is kept busy?

- ---
Graham "Lorax" Bignell
724 Solutions Inc.

- -----Original Message-----
From: Konrad Michels [mailto:konrad@overnetdata.com]
Sent: Wednesday, August 22, 2001 7:53 AM
To: incidents@securityfocus.com
Subject: 24 hour strobes from 10.0.x.x

For the last 24 hours I've had our firewall hammered repeatedly from
10.0.1.1 - 10.0.1.9, all 9 addresses simultaneously going at all ports
over 1024, over and over again!

Obviously spooofed packet headers - and just as I got annoyed enough to
want to start digging a bit deeper, the silly buggers stop! Now isn't
that annoying! Anyway, what was interesting about this was also that,
if I changed the IP address of the firewall's external interface say one
up or one down, the ruddy things followed it! Obviously then whatever
it was, was continuously strobing a whole block of IP addresses!

Anyone else seen anything like this lately?

Later
Konrad

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBO4P0wzfvNyvTILx2EQKU9QCff0e5p9FAm6Vm7gJfNr68sIiPI4cAoIx+
2UGhwI2u5xO5oclMfijIEuEO
=14Qu
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: [Full-disclosure] ICMP Security Vulnerabilities - NEW (cough)
    ... egress filtering based on the ICMP payload. ... When a host receives the request, ... >Allow the outbound echo request and inbound echo reply. ... >sender to slow down the rate it is sending packets. ...
    (Bugtraq)
  • Re: [Full-disclosure] ICMP Security Vulnerabilities - NEW (cough)
    ... egress filtering based on the ICMP payload. ... When a host receives the request, ... >Allow the outbound echo request and inbound echo reply. ... >sender to slow down the rate it is sending packets. ...
    (Full-Disclosure)
  • Re: spoofed packets to RFC 1918 addresses
    ... If there was widespread use of iingress/egress filtering we would probably ... > However, if the packets have a destination address in the RFC1918 space, I ... > your firewall or a compromise of something on the outside of your firewall. ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • [patch] gsoc project: improving layer2 filtering
    ... This summer I was working on improving layer2 filtering (my mentor is ... +Table entry can contain optional ethernet address. ... further packets matching the rule that would ... +When enabled a special tag containing MAC header is appended to incoming ...
    (freebsd-net)
  • RE: Localhost packets on WAN
    ... These localhost-sourced packets cannot indicate a Blaster infection on the ... - A remote machine has traffic for certain sites redirected to localhost. ... - The remote machine is generating SYNs to TCP 80 with a spoofed source IP ... upstream's filtering point for bogon traffic. ...
    (Incidents)