nanog mailing list archives

Re: Increase in tcp traffic from spoofed source to bogon?

From: Pekka Savola <pekkas () netcore fi>
Date: Fri, 26 Sep 2003 12:23:44 +0300 (EEST)


On Thu, 25 Sep 2003, Mike Tancsa wrote:

Is it all to 135 ?  I  drop lots of that at my border.  Each time I traced 
it back to the customer, it was some infected machine that was not being 
natted for various reasons.

e.g.

Deny TCP 172.16.4.1:4616 192.100.103.4:135

We also see the odd ntp request.  Is it bogon as in RFC 1918 or bogon as in 
not yet allocated / routed ?


We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!).  
I haven't bothered to check this out at the moment.  One would suppose the 
routers would blackhole the loopback traffic (or have a route to 
127.0.0.1), but no... :-)

At 05:26 PM 25/09/2003, Mark Segal wrote:

While cleaning the narchi virus icmp traffic.. I noticed a lot of tcp
traffic (it seems to be increasing) from spoofed address to bogon space?
Any ideas on what virus or worm this is?  Is it new?

Regards,
Mark

--
Mark Segal
Director, Network Planning
FCI Broadband
Tel: 905-284-4070
Fax: 416-987-4701
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Current thread:

Increase in tcp traffic from spoofed source to bogon? Mark Segal (Sep 25)
- Message not available
  - Re: Increase in tcp traffic from spoofed source to bogon? Mike Tancsa (Sep 25)
- <Possible follow-ups>
- Re: Increase in tcp traffic from spoofed source to bogon? Pekka Savola (Sep 26)
  - Re: Increase in tcp traffic from spoofed source to bogon? Crist Clark (Sep 26)