Re: 24 hour strobes from 10.0.x.x

[Konrad Michels <konrad () overnetdata com>]

I was even more perturbed when I called the support line of my upstream 
provider and the response was "huh?" and, after putting me on hold for a 
while, "Sorry, there is nothing we can do about it from here - call your 
account manager"!

What our account manager was going to do about it was a little beyond 
me, but I called her anyway.  Her line was busy, so I left a message and 
have still not been called back!  Surprise surprise!

Given the raft of problems we've had with our upstream provider to date, 
I can't say the response was unexpected.

Unfortunately, I inherited the firewalls when I got here, and while they 
are fairly decent ones, they have a windoze only gui (even though the 
firewall itself is a customised version of Linux & ipchains), which only 
allows me to deny packets and not drop them.

I was busy configuring a Linux box with iptables yesterday to put 
between the router & the firewall to create a black hole for the 
packets, but just before I finished, the attack stopped!  Go figure!

Graham Bignell wrote:

>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Be very disturbed that your upstream provider isn't filtering out
> those spoofed packets; they should not allow the rfc1918 netblocks
> to or from your network.  Seriously, it should be in your contract.
>
> Your firewall should also be dropping these packets by default, is 
> your issue the rate at which you are getting hit with traffic so 
> the device is kept busy?
>
> - ---
> Graham "Lorax" Bignell
> 724 Solutions Inc.  
>
> - -----Original Message-----
> From: Konrad Michels [mailto:konrad () overnetdata com]
> Sent: Wednesday, August 22, 2001 7:53 AM
> To: incidents () securityfocus com
> Subject: 24 hour strobes from 10.0.x.x
>
>
> For the last 24 hours I've had our firewall hammered repeatedly from 
> 10.0.1.1 - 10.0.1.9, all 9 addresses simultaneously going at all ports 
> over 1024, over and over again!
>
> Obviously spooofed packet headers - and just as I got annoyed enough to 
> want to start digging a bit deeper, the silly buggers stop!  Now isn't 
> that annoying!  Anyway, what was interesting about this was also that, 
> if I changed the IP address of the firewall's external interface say one 
> up or one down, the ruddy things followed it!  Obviously then whatever 
> it was, was continuously strobing a whole block of IP addresses!
>
> Anyone else seen anything like this lately?
>
> Later
> Konrad
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQA/AwUBO4P0wzfvNyvTILx2EQKU9QCff0e5p9FAm6Vm7gJfNr68sIiPI4cAoIx+
> 2UGhwI2u5xO5oclMfijIEuEO
> =14Qu
> -----END PGP SIGNATURE-----


--
****************************************************
*                                                  *
* Please note that I will not be in the office     *
* on Friday 24 August.                             *
*                                                  *
****************************************************


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com