[119872] in North American Network Operators' Group
RE: port scanning from spoofed addresses
daemon@ATHENA.MIT.EDU (Matthew Huff)
Thu Dec 3 12:53:58 2009
From: Matthew Huff <mhuff@ox.com>
To: Florian Weimer <fweimer@bfk.de>
Date: Thu, 3 Dec 2009 12:53:04 -0500
In-Reply-To: <823a3sarl9.fsf@mid.bfk.de>
Cc: " \(nanog@nanog.org\)" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The source address appears to be fixed as well as the source port (6666), s=
canning different destinations and ports.
----
Matthew Huff=A0=A0=A0=A0=A0=A0 | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com=A0 | Phone: 914-460-4039
aim: matthewbhuff=A0 | Fax:=A0=A0 914-460-4139
-----Original Message-----
From: Florian Weimer [mailto:fweimer@bfk.de]=20
Sent: Thursday, December 03, 2009 12:35 PM
To: Matthew Huff
Cc: (nanog@nanog.org)
Subject: Re: port scanning from spoofed addresses
* Matthew Huff:
> We are seeing a large number of tcp connection attempts to ports
> known to have security issues. The source addresses are spoofed from
> our address range. They are easy to block at our border router
> obviously, but the number and volume is a bit worrisome. Our
> upstream providers appear to be uninterested in tracing or blocking
> them. Is this the new normal? One of my concerns is that if others
> are seeing probe attempts, they will see them from these addresses
> and of course, contact us.
What's the distribution of the source addresses and source ports?
--=20
Florian Weimer <fweimer@bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra=DFe 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
