Re: 24 hour strobes from 10.0.x.x
From: Konrad Michels (konrad@overnetdata.com)Date: 08/23/01
- Previous message: JohnNicholson@aol.com: "Re: Revenue loss due to breakins"
- In reply to: Graham Bignell: "RE: 24 hour strobes from 10.0.x.x"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B84B963.6030103@overnetdata.com> Date: Thu, 23 Aug 2001 09:05:55 +0100 From: Konrad Michels <konrad@overnetdata.com> To: Graham Bignell <gbignell@724.com> Subject: Re: 24 hour strobes from 10.0.x.x
I was even more perturbed when I called the support line of my upstream
provider and the response was "huh?" and, after putting me on hold for a
while, "Sorry, there is nothing we can do about it from here - call your
account manager"!
What our account manager was going to do about it was a little beyond
me, but I called her anyway. Her line was busy, so I left a message and
have still not been called back! Surprise surprise!
Given the raft of problems we've had with our upstream provider to date,
I can't say the response was unexpected.
Unfortunately, I inherited the firewalls when I got here, and while they
are fairly decent ones, they have a windoze only gui (even though the
firewall itself is a customised version of Linux & ipchains), which only
allows me to deny packets and not drop them.
I was busy configuring a Linux box with iptables yesterday to put
between the router & the firewall to create a black hole for the
packets, but just before I finished, the attack stopped! Go figure!
Graham Bignell wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Be very disturbed that your upstream provider isn't filtering out
> those spoofed packets; they should not allow the rfc1918 netblocks
> to or from your network. Seriously, it should be in your contract.
>
> Your firewall should also be dropping these packets by default, is
> your issue the rate at which you are getting hit with traffic so
> the device is kept busy?
>
> - ---
> Graham "Lorax" Bignell
> 724 Solutions Inc.
>
> - -----Original Message-----
> From: Konrad Michels [mailto:konrad@overnetdata.com]
> Sent: Wednesday, August 22, 2001 7:53 AM
> To: incidents@securityfocus.com
> Subject: 24 hour strobes from 10.0.x.x
>
>
> For the last 24 hours I've had our firewall hammered repeatedly from
> 10.0.1.1 - 10.0.1.9, all 9 addresses simultaneously going at all ports
> over 1024, over and over again!
>
> Obviously spooofed packet headers - and just as I got annoyed enough to
> want to start digging a bit deeper, the silly buggers stop! Now isn't
> that annoying! Anyway, what was interesting about this was also that,
> if I changed the IP address of the firewall's external interface say one
> up or one down, the ruddy things followed it! Obviously then whatever
> it was, was continuously strobing a whole block of IP addresses!
>
> Anyone else seen anything like this lately?
>
> Later
> Konrad
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQA/AwUBO4P0wzfvNyvTILx2EQKU9QCff0e5p9FAm6Vm7gJfNr68sIiPI4cAoIx+
> 2UGhwI2u5xO5oclMfijIEuEO
> =14Qu
> -----END PGP SIGNATURE-----
>
>
-- **************************************************** * * * Please note that I will not be in the office * * on Friday 24 August. * * * ****************************************************---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: JohnNicholson@aol.com: "Re: Revenue loss due to breakins"
- In reply to: Graham Bignell: "RE: 24 hour strobes from 10.0.x.x"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
