[63054] in North American Network Operators' Group
Re: Increase in tcp traffic from spoofed source to bogon?
daemon@ATHENA.MIT.EDU (Mike Tancsa)
Thu Sep 25 17:42:12 2003
Date: Thu, 25 Sep 2003 17:40:50 -0400
To: Mark Segal <MSegal@Corporate.FCIBroadband.com>,
"'nanog@merit.edu'" <nanog@merit.edu>
From: Mike Tancsa <mike@sentex.net>
In-Reply-To: <7D65E2ADB9ADD4119CC200508BB1E0BC02A11DA7@fwexch01.corp.fut
ureway.ca>
Errors-To: owner-nanog-outgoing@merit.edu
Is it all to 135 ? I drop lots of that at my border. Each time I traced
it back to the customer, it was some infected machine that was not being
natted for various reasons.
e.g.
Deny TCP 172.16.4.1:4616 192.100.103.4:135
We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in
not yet allocated / routed ?
---Mike
At 05:26 PM 25/09/2003, Mark Segal wrote:
>While cleaning the narchi virus icmp traffic.. I noticed a lot of tcp
>traffic (it seems to be increasing) from spoofed address to bogon space?
>Any ideas on what virus or worm this is? Is it new?
>
>Regards,
>Mark
>
>--
>Mark Segal
>Director, Network Planning
>FCI Broadband
>Tel: 905-284-4070
>Fax: 416-987-4701
>http://www.fcibroadband.com
>
>Futureway Communications Inc. is now FCI Broadband
