On Thu, 25 Sep 2003, Mike Tancsa wrote:
Is it all to 135 ? I drop lots of that at my border. Each time I traced it back to the customer, it was some infected machine that was not being natted for various reasons.
e.g.
Deny TCP 172.16.4.1:4616 192.100.103.4:135
We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in not yet allocated / routed ?
We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!). I haven't bothered to check this out at the moment. One would suppose the routers would blackhole the loopback traffic (or have a route to 127.0.0.1), but no... :-)
At 05:26 PM 25/09/2003, Mark Segal wrote:
While cleaning the narchi virus icmp traffic.. I noticed a lot of tcp traffic (it seems to be increasing) from spoofed address to bogon space? Any ideas on what virus or worm this is? Is it new?
Regards, Mark
-- Mark Segal Director, Network Planning FCI Broadband Tel: 905-284-4070 Fax: 416-987-4701 http://www.fcibroadband.com
Futureway Communications Inc. is now FCI Broadband
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings