nanog mailing list archives
RE: CCO/cisco.com issues.
From: Sean McPherson <nanog () seanmcpherson com>
Date: Tue, 7 Oct 2003 13:40:10 -0400 (EDT)
<SNIPPAGE>
We're continuing the work the issue, and would be grateful if operators would check for 40-byte spoofed TCP headed towards 198.133.219.25/32 and trace/block it as warranted. Your patience and understanding are greatly appreciated. Thanks! ------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice
Roland, Are these spoofed addresses from any range specifically in relation to the 'real' source address (ie, are they spoofing other IPs in the same subnet or CIDR range, a specific known range, or just random routable addresses)? I've run some netflow filters and have seen some traffic (very small amounts) that could match the very simple 40-byte payloads to that /32 traversing out of a few customers' gear, but I was hoping to not have to start digging into traffic to see if it originated in the 'right' places if you already had any ideas. That said, I don't want to ignore the fact it's not much traffic, since with enough zombied machines, a lot of 'trickles' forms a flood! Thanks, Sean McPherson nanog <@ is the at sign> seanmcpherson dotcom
Current thread:
- RE: Re[2]: CCO/cisco.com issues., (continued)
- RE: Re[2]: CCO/cisco.com issues. Terry Baranski (Oct 06)
- Re: CCO/cisco.com issues. Suresh Ramasubramanian (Oct 06)
- Re: CCO/cisco.com issues. Stephen J. Wilcox (Oct 07)
- Re: CCO/cisco.com issues. Suresh Ramasubramanian (Oct 07)
- Re: CCO/cisco.com issues. Laurence F. Sheldon, Jr. (Oct 07)
- Re: CCO/cisco.com issues. Matt (Oct 06)
- Re: CCO/cisco.com issues. Peter E. Fry (Oct 06)
- Re: CCO/cisco.com issues. Ariel Biener (Oct 06)
- Re: CCO/cisco.com issues. Allan Liska (Oct 06)