[63070] in North American Network Operators' Group
Re: Increase in tcp traffic from spoofed source to bogon?
daemon@ATHENA.MIT.EDU (Pekka Savola)
Fri Sep 26 05:26:30 2003
Date: Fri, 26 Sep 2003 12:23:44 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 25 Sep 2003, Mike Tancsa wrote:
> Is it all to 135 ? I drop lots of that at my border. Each time I traced
> it back to the customer, it was some infected machine that was not being
> natted for various reasons.
>
> e.g.
>
> Deny TCP 172.16.4.1:4616 192.100.103.4:135
>
> We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in
> not yet allocated / routed ?
We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!).
I haven't bothered to check this out at the moment. One would suppose the
routers would blackhole the loopback traffic (or have a route to
127.0.0.1), but no... :-)
> At 05:26 PM 25/09/2003, Mark Segal wrote:
>
> >While cleaning the narchi virus icmp traffic.. I noticed a lot of tcp
> >traffic (it seems to be increasing) from spoofed address to bogon space?
> >Any ideas on what virus or worm this is? Is it new?
> >
> >Regards,
> >Mark
> >
> >--
> >Mark Segal
> >Director, Network Planning
> >FCI Broadband
> >Tel: 905-284-4070
> >Fax: 416-987-4701
> >http://www.fcibroadband.com
> >
> >Futureway Communications Inc. is now FCI Broadband
>
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
