[Dshield] Re: A lot of spoofing

Lou Rabon lrabon at netstream.ws
Wed Mar 20 20:19:50 GMT 2002


> Responding to Malcolm Joosse's post with respect to tracking 
> down the actual
> source of these packets.
> 
> I made a similar request of our ISP last year, and their 
> response was to ask
> whether or not we're willing to spend the money to prosecute. 
>  Their reasoning
> is that there is SO much of this stuff going on (you should 
> see my logs), that
> they're only willing to spend the time (both they and any other ISP's
> potentially involved) if the end customer is willing to go to 
> the mat and
> prosecute.
> 
> As for the nature of the attack - this is JUST a guess, but 
> it might be a
> fishing expedition.  Double check on whether these packets 
> are coming from the
> inside or outside.  I've seen firewall-1 for example log 
> internal NB broadcasts
> as hostile packets, where there was no actual attack going on.
> 

One other note: you could (and should!) do ingress filtering on your router to block all the IANA-assigned private address blocks.

Lou




More information about the list mailing list