We are seeing a large number of tcp connection attempts to ports known to have security issues. The source addresses are spoofed from our address range. They are easy to block at our border router obviously, but the number and volume is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new normal? One of my concerns is that if others are seeing probe attempts, they will see them from these addresses and of course, contact us. Any suggestions on what to do next? Or just ignore. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
* Matthew Huff:
We are seeing a large number of tcp connection attempts to ports known to have security issues. The source addresses are spoofed from our address range. They are easy to block at our border router obviously, but the number and volume is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new normal? One of my concerns is that if others are seeing probe attempts, they will see them from these addresses and of course, contact us.
What's the distribution of the source addresses and source ports? -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
The source address appears to be fixed as well as the source port (6666), scanning different destinations and ports. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -----Original Message----- From: Florian Weimer [mailto:fweimer@bfk.de] Sent: Thursday, December 03, 2009 12:35 PM To: Matthew Huff Cc: (nanog@nanog.org) Subject: Re: port scanning from spoofed addresses * Matthew Huff:
We are seeing a large number of tcp connection attempts to ports known to have security issues. The source addresses are spoofed from our address range. They are easy to block at our border router obviously, but the number and volume is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new normal? One of my concerns is that if others are seeing probe attempts, they will see them from these addresses and of course, contact us.
What's the distribution of the source addresses and source ports? -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
I'm not at all concerned about door-knob twisting or network scanning. What concerns me is that the source addresses are spoofed from our address range and that our upstream providers aren't willing to even look at the problem. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -----Original Message----- From: Charles Wyble [mailto:charles@thewybles.com] Sent: Thursday, December 03, 2009 1:01 PM To: Matthew Huff Cc: Florian Weimer; (nanog@nanog.org) Subject: Re: port scanning from spoofed addresses On Dec 3, 2009, at 9:53 AM, Matthew Huff wrote:
The source address appears to be fixed as well as the source port (6666), scanning different destinations and ports.
Some script kiddies found nmap and decided to target you for some reason. It happens. It's annoying.
On Thu, 3 Dec 2009 13:03:20 -0500 Matthew Huff <mhuff@ox.com> wrote:
I'm not at all concerned about door-knob twisting or network scanning. What concerns me is that the source addresses are spoofed from our address range and that our upstream providers aren't willing to even look at the problem.
But that can be easy addressed by yourself. just do not allow traffic originating from your range on your external interfaces. -- With best regards, Gregory Edigarov
-----Original Message----- From: Matthew Huff [mailto:mhuff@ox.com] Sent: Thursday, December 03, 2009 12:05 PM
but the number and volume is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new normal?
Yes, it's the new norm... same as the old norm... I'm surprised they didn't try to upsell you on some type of managed DDoS solution... Stefan Fouant www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
On Thu, Dec 3, 2009 at 10:35 PM, Matthew Huff <mhuff@ox.com> wrote:
We are seeing a large number of tcp connection attempts to ports known to have security issues. The source addresses are spoofed from our address range. They are easy to block at our border router obviously, but the number and volume is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new normal? One of my concerns is that if others are seeing probe attempts, they will see them from these addresses and of course, contact us.
Any suggestions on what to do next? Or just ignore.
Filter it out and then ignore. Might as well filter it out - see http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-...
participants (6)
-
Charles Wyble -
Florian Weimer -
Gregory Edigarov -
Matthew Huff -
Stefan Fouant -
Suresh Ramasubramanian