<SNIPPAGE>
We're continuing the work the issue, and would be grateful if operators would check for 40-byte spoofed TCP headed towards 198.133.219.25/32 and trace/block it as warranted. Your patience and understanding are greatly appreciated.
Thanks!
------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Roland, Are these spoofed addresses from any range specifically in relation to the 'real' source address (ie, are they spoofing other IPs in the same subnet or CIDR range, a specific known range, or just random routable addresses)? I've run some netflow filters and have seen some traffic (very small amounts) that could match the very simple 40-byte payloads to that /32 traversing out of a few customers' gear, but I was hoping to not have to start digging into traffic to see if it originated in the 'right' places if you already had any ideas. That said, I don't want to ignore the fact it's not much traffic, since with enough zombied machines, a lot of 'trickles' forms a flood! Thanks, Sean McPherson nanog <@ is the at sign> seanmcpherson dotcom