Glad to know its not just me.. FYI x.x.0.0 is a valid host address as is x.x.x.0 and it would be technically incorrect to block it assuming it to be a network address and therefore bogon. However this may be a way to do it if we see another attack, altho I would strongly recommend against filtering x.x.x.0 I would doubt that there are any valid x.x.0.0 host on the internet so could filter on that.. Steve On Mon, 25 Nov 2002 variable@ednet.co.uk wrote:
On Mon, 25 Nov 2002, Stephen J. Wilcox wrote:
We saw many hundred thousand packets per second entering our network from various international peers, each packet was tcp destined to a single real end user IP address and sourced from a /16 network address eg 61.254.0.0, where the src was random and different on each packet but always x.x.0.0
Yes. We've asked all our upstreams to block it completely (with varying degrees of success from it being permenantly blocked at their borders to "we can't apply filters on your interface").
For Junos (I was informed that this is only available in 5.5), you can filter using:
0.0.0.0/0.0.255.255
On a cisco you can block using:
deny ip 0.0.0.0 255.255.0.0 any
I was unable to find out more about the data within the packet, the sheer volume made diagnosis impossible without killing the routers.
Looked just like a regular SYN flood to the target IP. Not sure why they picked source addresses that were so obviously bogus though.
Can anyone think of a reason why this sort of traffic should be routed at all? Does anyone actually drop hosts on to addresses ending in x.x.x.0?
Rich