Probably not spoofed, I see a lot of scanning from China. route: 121.8.0.0/13 descr: From Guangdong Network of ChinaTelecom origin: AS4134 mnt-by: MAINT-CHINANET changed: dingsy@cndata.com 20060707 source: APNIC person: Chinanet Hostmaster nic-hdl: CH93-AP e-mail: anti-spam@ns.chinanet.cn.net address: No.31 ,jingrong street,beijing address: 100032 phone: +86-10-58501724 fax-no: +86-10-58501724 country: CN changed: dingsy@cndata.com 20070416 mnt-by: MAINT-CHINANET source: APNIC -Patrick ----- Original Message ----- From: "Rich Sena" <ras@thick.net> To: "NANOG" <nanog@merit.edu> Sent: Thursday, March 6, 2008 12:01:52 PM (GMT-0800) America/Los_Angeles Subject: Scan traffic from 121.8.0.0/16 Anyone seeing anything similar - trying to determine if this is spoofed etc... -- Rich Sena - ras@thick.net ThickNET Consulting "On the way to understanding; you understand, and forget."

Rich Sena wrote:

Anyone seeing anything similar - trying to determine if this is spoofed etc...

I haven't picked up any SSH or telnet scans from that network. That's what I'm looking for at the moment. The amount of scans we're getting are quite impressive at times. I wish there was an easy way to automate the care and feeding of my RTBH with this data (and some sanity checks). Justin