[Dshield] puzzled by FWIN entry

John Hardin johnh at aproposretail.com
Sun Sep 14 15:49:49 GMT 2003


On Sat, 2003-09-13 at 21:50, melvin smith wrote:
> Since I only own one computer and it is on a 
> dial-up internet connection, I can't understand
> why I am seeing firewall entries coming from 
> computers that have a 10.x.x.x IP addy.
> What gives here??         Mel.

Most ISPs do not implement invalid-source-address filtering as being
"too costly", and even if they do implement it at their borders they may
not implement it at their client routers or internally. One thing they
may do is to set up their routing tables so that traffic sent *to* such
addresses goes nowhere, but that does not help with forged/misconfigured
source addresses (e.g. it wouldn't slow down a DoS using forged source
IPs).

Your border firewall should drop source and destination addresses from
the private blocks (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8),
127.0.0.0/8, and 169.254.0.0/16 (DHCP self-assigned).

You could also complain to your ISP. If enough people do this they may
implement forged-source filtering.

--
John Hardin  KA7OHZ                           
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  Just say ".Nyet"
-----------------------------------------------------------------------
 7 days until Galileo is deorbited




More information about the list mailing list