[Dshield] ISPs - How much monitoring is enough?

Bjorn Stromberg bjorn at thechemistrylab.com
Thu Jan 15 18:47:09 GMT 2004


I've got 4 static IP addresses assigned to a server that is always on. My
ISP sends out a daily sweep from 10.4.0.12 pinging each of my IPs and
sending an ACK packet to Port 80 on each of my IPs. Recently, around
christmas they began hourly ping sweeps from the gateway router, these have
been filling up my log files ever since. Today added a rule to my firewall
to respond to these hourly pings and stop blocking them.

What's the best practice in this scenario? Do I continue to block the hourly
pings and log them? Do I silently block them? or Do I accept them and
respond?

Obviously these packets from 10.4.0.12 appear to be forged because they are
coming in on the internet side of my firewall. They get dropped and a little
flag gets raised because these are supposed to be non-routable IPs.

Does your ISP do similar things? Do you receive hourly ping sweeps? Daily
ping sweeps? No ping sweeps at all?

Does your ISP scan well known ports for compromised machines?

I feel it's a bit much to be constantly bombarded by skiddies and to have my
ISP join in on the action is, for lack of a better word, annoying.


Bjorn Stromberg




More information about the list mailing list