On Mon, 25 Nov 2002, Stephen J. Wilcox wrote:
We saw many hundred thousand packets per second entering our network from various international peers, each packet was tcp destined to a single real end user IP address and sourced from a /16 network address eg 61.254.0.0, where the src was random and different on each packet but always x.x.0.0
Yes. We've asked all our upstreams to block it completely (with varying degrees of success from it being permenantly blocked at their borders to "we can't apply filters on your interface"). For Junos (I was informed that this is only available in 5.5), you can filter using: 0.0.0.0/0.0.255.255 On a cisco you can block using: deny ip 0.0.0.0 255.255.0.0 any
I was unable to find out more about the data within the packet, the sheer volume made diagnosis impossible without killing the routers.
Looked just like a regular SYN flood to the target IP. Not sure why they picked source addresses that were so obviously bogus though. Can anyone think of a reason why this sort of traffic should be routed at all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? Rich