[Dshield] ISPs - How much monitoring is enough?

Micheal Patterson micheal at tsgincorporated.com
Thu Jan 15 20:27:43 GMT 2004


----- Original Message ----- 
From: "Bjorn Stromberg" <bjorn at thechemistrylab.com>
To: <list at dshield.org>
Sent: Thursday, January 15, 2004 12:47 PM
Subject: [Dshield] ISPs - How much monitoring is enough?


> I've got 4 static IP addresses assigned to a server that is always on. My
> ISP sends out a daily sweep from 10.4.0.12 pinging each of my IPs and
> sending an ACK packet to Port 80 on each of my IPs. Recently, around
> christmas they began hourly ping sweeps from the gateway router, these
have
> been filling up my log files ever since. Today added a rule to my firewall
> to respond to these hourly pings and stop blocking them.
>
> What's the best practice in this scenario? Do I continue to block the
hourly
> pings and log them? Do I silently block them? or Do I accept them and
> respond?
>
> Obviously these packets from 10.4.0.12 appear to be forged because they
are
> coming in on the internet side of my firewall. They get dropped and a
little
> flag gets raised because these are supposed to be non-routable IPs.
>
> Does your ISP do similar things? Do you receive hourly ping sweeps? Daily
> ping sweeps? No ping sweeps at all?
>
> Does your ISP scan well known ports for compromised machines?
>
> I feel it's a bit much to be constantly bombarded by skiddies and to have
my
> ISP join in on the action is, for lack of a better word, annoying.
>
>
> Bjorn Stromberg

Bjorn, there's a strong possibility that their internal network is running
off of the 10/8 iprange. This isn't so uncommon. It keeps them from getting
targeted from off net. To your router, they're non-routable IP's, however to
their router, it's probably quite local to them depending on the type of
circuit your link is. This is a common practice with Cable and DSL service
providers. They'll use a 10/8, 192.168/16, etc on their local network, give
you the public IP and just static route traffic or put the cpe stuff in
bridge mode.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.




More information about the list mailing list