Rise in spoofing and smurfing?

[Glenn Forbes Fleming Larratt <glratt () io com>]

In our educational Class B (obfuscated as 299.299.0.0/16 below), we've
seen a much higher than normal incidence, 

1. in the last week or two, of what appear to be smurf attempts, e.g. 
(mildly filtered Cisco syslogs):

Feb 28 19:29:55 tcp 217.59.20.181(21) -> 299.299.0.255(21), 1 packet
Feb 28 19:29:58 tcp 217.59.20.181(21) -> 299.299.1.255(21), 1 packet
Feb 28 19:30:00 tcp 217.59.20.181(21) -> 299.299.2.255(21), 1 packet
        :
        :
Feb 28 19:37:07 tcp 217.59.20.181(21) -> 299.299.248.255(21), 1 packet
Feb 28 19:37:10 tcp 217.59.20.181(21) -> 299.299.250.255(21), 1 packet
Feb 28 19:37:16 tcp 217.59.20.181(21) -> 299.299.253.255(21), 1 packet

2. in the last three days, of indications of our address space being
spoofed in huge quantity, presumably as part of DoS, decoy scanning,
or other nastiness, e.g. (tcpdump -vv of Snort binary logs, in many
cases implying "stimulus" hosts that don't exist in out network
[subnets 108 and 93 are unallocated within our Class B]):

02/28 16:06:33.293696 208.184.231.250 > 299.299.108.141: icmp: host 207.78.169.4 unreachable for 299.299.108.141.1171 > 
207.78.169.4.1024: [|tcp] (DF) (ttl 123, id 38089, len 48) (ttl 248, id 0, len 56)
02/28 16:06:52.377804 208.184.231.250 > 299.299.93.170: icmp: host 207.78.169.4 unreachable for 299.299.93.170.1170 > 
207.78.169.4.1219: [|tcp] (DF) (ttl 123, id1165, len 48) (ttl 248, id 0, len 56)

Has anyone seen similar behavior?

        -g
-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt () io com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com