Pekka Savola wrote:
On Thu, 25 Sep 2003, Mike Tancsa wrote:
Is it all to 135 ? I drop lots of that at my border. Each time I traced it back to the customer, it was some infected machine that was not being natted for various reasons.
e.g.
Deny TCP 172.16.4.1:4616 192.100.103.4:135
We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in not yet allocated / routed ?
We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!). I haven't bothered to check this out at the moment. One would suppose the routers would blackhole the loopback traffic (or have a route to 127.0.0.1), but no... :-)
I've been seeing this too. There are some jokers (SPAMmers?) out there putting 127.0.0.2 in their MX records. Our Solaris mail server actually puts 127.0.0.2 out on the wire (the default route) despite, lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 the fact it looks like these should be routed to the loopback. This also flies in the face of RFC1122, Sec. 3.2.1.3(g), (g) { 127, <any> } Internal host loopback address. Addresses of this form MUST NOT appear outside a host. This is however historical UN*X behavior. We hardcoded FreeBSD to drop 127/8 heading out of the host only a year ago and got a few complaints from people who were doing things they probably should not have been doing or could have just as easily done with RFC1918 addresses. I would expect 127/8 to be on any bogon list. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387