Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Valdis.Kletnieks@vt.edu
Date: 02/03/03

  • Next message: zmajd fully: "Re: Packet from port 80 with spoofed microsoft.com ip"
    To: Joel Tyson <jtyson@pa.eplus.com>
    From: Valdis.Kletnieks@vt.edu
    Date: Mon, 03 Feb 2003 14:04:52 -0500
    

    On Mon, 03 Feb 2003 10:40:02 EST, Joel Tyson <jtyson@pa.eplus.com> said:

    > The best way to handle these types of packets would be to route them to a
    > null0 interface. This way the packets will be dropped without icmp response.
    > Typically all ISP should have these ACL's configured on their border routers;
    > but they don't.

    There's not much financial incentive for many ISPs to filter - when you're
    billing based on traffic volume, you don't really want all those probes to
    go away. So what if 20% of the traffic is probes? That's 20% more income
    for the provider, and many providers are in a financial crunch - that 20%
    may be all that's keeping them afloat. As long as they don't get burned by
    an SQL worm that takes out their infrastructure too, why should the filter?

    /Valdis (who is having a more-cynical-than-usual day)

    
    




    Relevant Pages

    • Re: FW: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)
      ... not the smaller ISPs. ... figure out what these packets are. ... So what if 20% of the traffic is probes? ... > for the provider, and many providers are in a financial crunch - that 20% ...
      (Incidents)
    • RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)
      ... Subject: Packets from 255.255.255.255(was: Packet from port 80 ... There's not much financial incentive for many ISPs to filter - when you're ... for the provider, and many providers are in a financial crunch - that 20% ...
      (Incidents)
    • Re: How to set NIC to promiscuous mode from FilterHook driver
      ... So from your reply I take it you are interested in getting packets destined to other hosts -that are not necessarily originated from the host your filter is running on-. ... As I said in my previous post, setting the adapter to promiscuous mode is not going to help you. ... the filter hook driver I mentioned is as per the msdn ...
      (microsoft.public.development.device.drivers)
    • Re: Traffic control: throttling downloads
      ... The easiest way is if you are just routing, then you can add a qdisc to the lan facing interface and shape traffic as you would for upstream. ... tc filter add dev eth0 protocol ip prio 1 parent ffff: ... The first filter matches tcp packets with length < 128 bytes by using a match of 0x0000 and a mask of 0xff80 starting at byte 2 of the ip packet, which is length - you can only match powers of 2 like this. ... If you want to use normal qdiscs on ingress traffic you have to use ifb. ...
      (comp.os.linux.networking)
    • Re: Help with an odd log file...
      ... I'm getting the same types of packets to a router - since May 17. ... probes that come a few seconds apart. ... Sequence is always ... and is some sort of homing signal for a complex trojan. ...
      (Incidents)