[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: Re: 24 hour strobes from 10.0.x.x
From: Konrad Michels <konrad () overnetdata ! com>
Date: 2001-08-23 8:05:55
[Download RAW message or body]
I was even more perturbed when I called the support line of my upstream
provider and the response was "huh?" and, after putting me on hold for a
while, "Sorry, there is nothing we can do about it from here - call your
account manager"!
What our account manager was going to do about it was a little beyond
me, but I called her anyway. Her line was busy, so I left a message and
have still not been called back! Surprise surprise!
Given the raft of problems we've had with our upstream provider to date,
I can't say the response was unexpected.
Unfortunately, I inherited the firewalls when I got here, and while they
are fairly decent ones, they have a windoze only gui (even though the
firewall itself is a customised version of Linux & ipchains), which only
allows me to deny packets and not drop them.
I was busy configuring a Linux box with iptables yesterday to put
between the router & the firewall to create a black hole for the
packets, but just before I finished, the attack stopped! Go figure!
Graham Bignell wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Be very disturbed that your upstream provider isn't filtering out
> those spoofed packets; they should not allow the rfc1918 netblocks
> to or from your network. Seriously, it should be in your contract.
>
> Your firewall should also be dropping these packets by default, is
> your issue the rate at which you are getting hit with traffic so
> the device is kept busy?
>
> - ---
> Graham "Lorax" Bignell
> 724 Solutions Inc.
>
> - -----Original Message-----
> From: Konrad Michels [mailto:konrad@overnetdata.com]
> Sent: Wednesday, August 22, 2001 7:53 AM
> To: incidents@securityfocus.com
> Subject: 24 hour strobes from 10.0.x.x
>
>
> For the last 24 hours I've had our firewall hammered repeatedly from
> 10.0.1.1 - 10.0.1.9, all 9 addresses simultaneously going at all ports
> over 1024, over and over again!
>
> Obviously spooofed packet headers - and just as I got annoyed enough to
> want to start digging a bit deeper, the silly buggers stop! Now isn't
> that annoying! Anyway, what was interesting about this was also that,
> if I changed the IP address of the firewall's external interface say one
> up or one down, the ruddy things followed it! Obviously then whatever
> it was, was continuously strobing a whole block of IP addresses!
>
> Anyone else seen anything like this lately?
>
> Later
> Konrad
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQA/AwUBO4P0wzfvNyvTILx2EQKU9QCff0e5p9FAm6Vm7gJfNr68sIiPI4cAoIx+
> 2UGhwI2u5xO5oclMfijIEuEO
> =14Qu
> -----END PGP SIGNATURE-----
>
>
--
****************************************************
* *
* Please note that I will not be in the office *
* on Friday 24 August. *
* *
****************************************************
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic