[27715] in North American Network Operators' Group
Re: Network Probes
daemon@ATHENA.MIT.EDU (Scott McGrath)
Thu Mar 9 17:59:29 2000
Message-ID: <38C82B5B.707E5B3C@bexair.com>
Date: Thu, 09 Mar 2000 17:53:15 -0500
From: "Scott McGrath" <s_mcgrath@bexair.com>
MIME-Version: 1.0
To: "Matthew R. Potter" <mpotter@atpco.com>
Cc: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
I cannot find anything in the literature about this attack method, As a
WILD guess
it is a mutation of one of the DDOS tools with new ports. but this
underscores the importance of martian filters on border routers and also
filtering outbounds
so that spoofed addresses cannot leave your border routers. Cisco also has
an
obscure command to verify the path but it drops the router into process
switch mode
as I recall, If I am wrong please correct
Scott
"Matthew R. Potter" wrote:
> >Hi,
> >
> >Has anyone else noticed probes against their network with a spoofed
> >source address
> >and Src (80) and Dst(2183)
> Yes, all from Reserved(Private) IP's.. Over and over and over.. At two
> minute intervals.
>
> Mar 9 11:48:52 xxxxxxxx ipmon[23116]: 11:48:52.169293 xl1
> @0:4 b 10.2.8.31,80 -> xxx.xxx.xxx.xxx,51419 PR tcp len 20 40 -AF
> Mar 9 11:49:28 xxxxxxxx ipmon[23116]: 11:49:28.286393 xl1
> @0:3 b 172.16.0.142,80 -> xxx.xxx.xxx.xxx,6736 PR tcp len 20 163 -AFP
>
> begins again... in 2 minutes.. same IP's, Flags and ports.
>
> M.
