[119936] in North American Network Operators' Group
Re: port scanning from spoofed addresses
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Fri Dec 4 04:30:46 2009
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9D775E7EE24@PUR-EXCH07.ox.com>
Date: Fri, 4 Dec 2009 14:59:50 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
To: Matthew Huff <mhuff@ox.com>
Cc: "\(nanog@nanog.org\)" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Dec 3, 2009 at 10:35 PM, Matthew Huff <mhuff@ox.com> wrote:
> We are seeing a large number of tcp connection attempts to ports known to=
have security issues. The source addresses are spoofed from our address ra=
nge. They are easy to block at our border router obviously, but the number =
and volume is a bit worrisome. Our upstream providers appear to be unintere=
sted in tracing or blocking them. Is this the new normal? One of my concern=
s is that if others are seeing probe attempts, they will see them from thes=
e addresses and of course, contact us.
>
> Any suggestions on what to do next? Or just ignore.
Filter it out and then ignore. Might as well filter it out - see
http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used=
-by.html
