nanog mailing list archives
Re: Increase in tcp traffic from spoofed source to bogon?
From: Pekka Savola <pekkas () netcore fi>
Date: Fri, 26 Sep 2003 12:23:44 +0300 (EEST)
On Thu, 25 Sep 2003, Mike Tancsa wrote:
Is it all to 135 ? I drop lots of that at my border. Each time I traced it back to the customer, it was some infected machine that was not being natted for various reasons. e.g. Deny TCP 172.16.4.1:4616 192.100.103.4:135 We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in not yet allocated / routed ?
We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!). I haven't bothered to check this out at the moment. One would suppose the routers would blackhole the loopback traffic (or have a route to 127.0.0.1), but no... :-)
At 05:26 PM 25/09/2003, Mark Segal wrote:While cleaning the narchi virus icmp traffic.. I noticed a lot of tcp traffic (it seems to be increasing) from spoofed address to bogon space? Any ideas on what virus or worm this is? Is it new? Regards, Mark -- Mark Segal Director, Network Planning FCI Broadband Tel: 905-284-4070 Fax: 416-987-4701 http://www.fcibroadband.com Futureway Communications Inc. is now FCI Broadband
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Current thread:
- Increase in tcp traffic from spoofed source to bogon? Mark Segal (Sep 25)
- Message not available
- Re: Increase in tcp traffic from spoofed source to bogon? Mike Tancsa (Sep 25)
- Message not available
- <Possible follow-ups>
- Re: Increase in tcp traffic from spoofed source to bogon? Pekka Savola (Sep 26)
- Re: Increase in tcp traffic from spoofed source to bogon? Crist Clark (Sep 26)