Increase in tcp traffic from spoofed source to bogon?
Pekka Savola
pekkas at netcore.fi
Fri Sep 26 09:23:44 UTC 2003
On Thu, 25 Sep 2003, Mike Tancsa wrote:
> Is it all to 135 ? I drop lots of that at my border. Each time I traced
> it back to the customer, it was some infected machine that was not being
> natted for various reasons.
>
> e.g.
>
> Deny TCP 172.16.4.1:4616 192.100.103.4:135
>
> We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in
> not yet allocated / routed ?
We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!).
I haven't bothered to check this out at the moment. One would suppose the
routers would blackhole the loopback traffic (or have a route to
127.0.0.1), but no... :-)
> At 05:26 PM 25/09/2003, Mark Segal wrote:
>
> >While cleaning the narchi virus icmp traffic.. I noticed a lot of tcp
> >traffic (it seems to be increasing) from spoofed address to bogon space?
> >Any ideas on what virus or worm this is? Is it new?
> >
> >Regards,
> >Mark
> >
> >--
> >Mark Segal
> >Director, Network Planning
> >FCI Broadband
> >Tel: 905-284-4070
> >Fax: 416-987-4701
> >http://www.fcibroadband.com
> >
> >Futureway Communications Inc. is now FCI Broadband
>
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the NANOG
mailing list