Re: Increase in tcp traffic from spoofed source to bogon?
On Thu, 25 Sep 2003, Mike Tancsa wrote:
Is it all to 135 ? I drop lots of that at my border. Each time I traced it back to the customer, it was some infected machine that was not being natted for various reasons.
e.g.
Deny TCP 172.16.4.1:4616 192.100.103.4:135
We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in not yet allocated / routed ?
We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!). I haven't bothered to check this out at the moment. One would suppose the routers would blackhole the loopback traffic (or have a route to 127.0.0.1), but no... :-)
At 05:26 PM 25/09/2003, Mark Segal wrote:
While cleaning the narchi virus icmp traffic.. I noticed a lot of tcp traffic (it seems to be increasing) from spoofed address to bogon space? Any ideas on what virus or worm this is? Is it new?
Regards, Mark
-- Mark Segal Director, Network Planning FCI Broadband Tel: 905-284-4070 Fax: 416-987-4701 http://www.fcibroadband.com
Futureway Communications Inc. is now FCI Broadband
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Pekka Savola wrote:
On Thu, 25 Sep 2003, Mike Tancsa wrote:
Is it all to 135 ? I drop lots of that at my border. Each time I traced it back to the customer, it was some infected machine that was not being natted for various reasons.
e.g.
Deny TCP 172.16.4.1:4616 192.100.103.4:135
We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in not yet allocated / routed ?
We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!). I haven't bothered to check this out at the moment. One would suppose the routers would blackhole the loopback traffic (or have a route to 127.0.0.1), but no... :-)
I've been seeing this too. There are some jokers (SPAMmers?) out there putting 127.0.0.2 in their MX records. Our Solaris mail server actually puts 127.0.0.2 out on the wire (the default route) despite, lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 the fact it looks like these should be routed to the loopback. This also flies in the face of RFC1122, Sec. 3.2.1.3(g), (g) { 127, <any> } Internal host loopback address. Addresses of this form MUST NOT appear outside a host. This is however historical UN*X behavior. We hardcoded FreeBSD to drop 127/8 heading out of the host only a year ago and got a few complaints from people who were doing things they probably should not have been doing or could have just as easily done with RFC1918 addresses. I would expect 127/8 to be on any bogon list. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
participants (2)
-
Crist Clark
-
Pekka Savola