[Dshield] What were the hackers trying to do?

Johannes Ullrich jullrich at euclidian.com
Mon Mar 3 15:29:26 GMT 2003

> Guess I still don't understand. It came through my ISP. Are you saying
> that an infected LAN passed this to my ISP and they let it through to
> me? Shouldn't my ISP be filtering this type of traffic?

Yes. your ISP should block it (unless, this machine is on your ISPs 

ISPs should filter all traffic at their router that has 'non routable'
source or destination IPs. Some ISPs use 10. and similar IPs for
internal purposes, which is ok.

Further, ISPs should implement what is called 'egress' and 'ingress'
filtering. Essentially, an ISP should not allow any traffic out
that claims to come from an IP address that is not used internally,
and it should not allow any traffic in that claims to come from an
internally used IP address. This way, spoofed traffic can not 
leave the ISP, and at least spoofed traffic that claims to come from
the inside can not enter the network.

However, for large ISPs these filters can become complex and many don't
bother with it.

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the list mailing list