[Dshield] ISPs - How much monitoring is enough?
peteoutside at yahoo.com
Thu Jan 15 19:18:51 GMT 2004
Why are they scanning you all the time?
There are better ways to look for servers (which violates TOS in many cases)...I would write them a letter and request that they justify the traffic (it would help if you search your user agreement to determine if you have already agreed to suffer this).
Bjorn Stromberg <bjorn at thechemistrylab.com> wrote:
I've got 4 static IP addresses assigned to a server that is always on. My
ISP sends out a daily sweep from 10.4.0.12 pinging each of my IPs and
sending an ACK packet to Port 80 on each of my IPs. Recently, around
christmas they began hourly ping sweeps from the gateway router, these have
been filling up my log files ever since. Today added a rule to my firewall
to respond to these hourly pings and stop blocking them.
What's the best practice in this scenario? Do I continue to block the hourly
pings and log them? Do I silently block them? or Do I accept them and
Obviously these packets from 10.4.0.12 appear to be forged because they are
coming in on the internet side of my firewall. They get dropped and a little
flag gets raised because these are supposed to be non-routable IPs.
Does your ISP do similar things? Do you receive hourly ping sweeps? Daily
ping sweeps? No ping sweeps at all?
Does your ISP scan well known ports for compromised machines?
I feel it's a bit much to be constantly bombarded by skiddies and to have my
ISP join in on the action is, for lack of a better word, annoying.
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
More information about the list