port scanning from spoofed addresses

Suresh Ramasubramanian ops.lists at gmail.com
Fri Dec 4 09:29:50 UTC 2009


On Thu, Dec 3, 2009 at 10:35 PM, Matthew Huff <mhuff at ox.com> wrote:
> We are seeing a large number of tcp connection attempts to ports known to have security issues. The source addresses are spoofed from our address range. They are easy to block at our border router obviously, but the number and volume is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new normal? One of my concerns is that if others are seeing probe attempts, they will see them from these addresses and of course, contact us.
>
> Any suggestions on what to do next? Or just ignore.

Filter it out and then ignore.   Might as well filter it out - see
http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-by.html




More information about the NANOG mailing list