On Sat, Feb 21, 2004 at 07:47:46AM -0500, Geo. wrote:
We had an attack here last night and the attack traffic was coming from an IP address of x.x.255.x which isn't a valid IP address yet the traffic was being routed over the internet (as far as I can tell anyway). When I attempted to track down the source I found our cisco routers wouldn't accept the address as valid so it was not possible to null route or trace the traffic.
*GASP* Traffic with an invalid IP address being routed over the Internet? Dear god NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO! Please say it isn't so. Oh the humanity. Actually, it is a perfectly valid IP address. You just need to turn on ip subnet-zero. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080... That means nothing however, as there is traffic with invalid source addresses routed over the Internet all the time. Routing has nothing to do with source IP, and everything to do with dest IP. If you want to filter it, use an acl.
Has anyone else ever seen this before? Clue me in?
I don't think an ordinary clue stick will do... Hrm perhaps a stick of clue dynamite is in order. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)