[63553] in North American Network Operators' Group
RE: CCO/cisco.com issues.
daemon@ATHENA.MIT.EDU (Sean McPherson)
Tue Oct 7 13:43:20 2003
Date: Tue, 7 Oct 2003 13:40:10 -0400 (EDT)
From: Sean McPherson <nanog@seanmcpherson.com>
To: nanog@merit.edu
Cc: rdobbins@cisco.com
Errors-To: owner-nanog-outgoing@merit.edu
<SNIPPAGE>
>We're continuing the work the issue, and would be grateful if operators
>would check for 40-byte spoofed TCP headed towards 198.133.219.25/32 and
>trace/block it as warranted. Your patience and understanding are greatly
>appreciated.
>
>Thanks!
>
>-------------------------------------------------------------
>Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Roland,
Are these spoofed addresses from any range specifically in relation to the
'real' source address (ie, are they spoofing other IPs in the same subnet
or CIDR range, a specific known range, or just random routable addresses)?
I've run some netflow filters and have seen some traffic (very small
amounts) that could match the very simple 40-byte payloads to that /32
traversing out of a few customers' gear, but I was hoping to not have to
start digging into traffic to see if it originated in the 'right' places
if you already had any ideas. That said, I don't want to ignore the fact
it's not much traffic, since with enough zombied machines, a lot of 'trickles'
forms a flood!
Thanks,
Sean McPherson
nanog <@ is the at sign> seanmcpherson dotcom
