CCO/cisco.com issues.

• Previous message (by thread): CCO/cisco.com issues.
• Next message (by thread): Verisign's public opinion play
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<SNIPPAGE>

>We're continuing the work the issue, and would be grateful if operators 
>would check for 40-byte spoofed TCP headed towards 198.133.219.25/32 and 
>trace/block it as warranted. Your patience and understanding are greatly 
>appreciated.
>
>Thanks!
>
>-------------------------------------------------------------
>Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

Roland,

Are these spoofed addresses from any range specifically in relation to the 
'real' source address (ie, are they spoofing other IPs in the same subnet 
or CIDR range, a specific known range, or just random routable addresses)?

I've run some netflow filters and have seen some traffic (very small 
amounts) that could match the very simple 40-byte payloads to that /32 
traversing out of a few customers' gear, but I was hoping to not have to 
start digging into traffic to see if it originated in the 'right' places 
if you already had any ideas. That said, I don't want to ignore the fact 
it's not much traffic, since with enough zombied machines, a lot of 'trickles' 
forms a flood!

Thanks,

Sean McPherson
nanog <@ is the at sign> seanmcpherson dotcom

• Previous message (by thread): CCO/cisco.com issues.
• Next message (by thread): Verisign's public opinion play
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]