nanog mailing list archives
RE: port scanning from spoofed addresses
From: Matthew Huff <mhuff () ox com>
Date: Thu, 3 Dec 2009 12:53:04 -0500
The source address appears to be fixed as well as the source port (6666), scanning different destinations and ports. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -----Original Message----- From: Florian Weimer [mailto:fweimer () bfk de] Sent: Thursday, December 03, 2009 12:35 PM To: Matthew Huff Cc: (nanog () nanog org) Subject: Re: port scanning from spoofed addresses * Matthew Huff:
We are seeing a large number of tcp connection attempts to ports known to have security issues. The source addresses are spoofed from our address range. They are easy to block at our border router obviously, but the number and volume is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new normal? One of my concerns is that if others are seeing probe attempts, they will see them from these addresses and of course, contact us.
What's the distribution of the source addresses and source ports? -- Florian Weimer <fweimer () bfk de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Current thread:
- port scanning from spoofed addresses Matthew Huff (Dec 03)
- Re: port scanning from spoofed addresses Florian Weimer (Dec 03)
- RE: port scanning from spoofed addresses Matthew Huff (Dec 03)
- Re: port scanning from spoofed addresses Charles Wyble (Dec 03)
- RE: port scanning from spoofed addresses Matthew Huff (Dec 03)
- Re: port scanning from spoofed addresses Gregory Edigarov (Dec 04)
- RE: port scanning from spoofed addresses Matthew Huff (Dec 03)
- Re: port scanning from spoofed addresses Florian Weimer (Dec 03)