Security Incidents mailing list archives
Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
From: Valdis.Kletnieks () vt edu
Date: Mon, 03 Feb 2003 14:04:52 -0500
On Mon, 03 Feb 2003 10:40:02 EST, Joel Tyson <jtyson () pa eplus com> said:
The best way to handle these types of packets would be to route them to a null0 interface. This way the packets will be dropped without icmp response. Typically all ISP should have these ACL's configured on their border routers; but they don't.
There's not much financial incentive for many ISPs to filter - when you're billing based on traffic volume, you don't really want all those probes to go away. So what if 20% of the traffic is probes? That's 20% more income for the provider, and many providers are in a financial crunch - that 20% may be all that's keeping them afloat. As long as they don't get burned by an SQL worm that takes out their infrastructure too, why should the filter? /Valdis (who is having a more-cynical-than-usual day)
Attachment:
_bin
Description:
Current thread:
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) David Gillett (Feb 02)
- <Possible follow-ups>
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Joel Tyson (Feb 03)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Valdis . Kletnieks (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Hugo van der Kooij (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Frederic Harster (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Christian Vogel (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Meritt James (Feb 05)
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) James Kelly (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Frederic Harster (Feb 05)