Increase in tcp traffic from spoofed source to bogon?

• Previous message (by thread): Increase in tcp traffic from spoofed source to bogon?
• Next message (by thread): Increase in tcp traffic from spoofed source to bogon?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 25 Sep 2003, Mike Tancsa wrote:
> Is it all to 135 ?  I  drop lots of that at my border.  Each time I traced 
> it back to the customer, it was some infected machine that was not being 
> natted for various reasons.
> 
> e.g.
> 
> Deny TCP 172.16.4.1:4616 192.100.103.4:135
> 
> We also see the odd ntp request.  Is it bogon as in RFC 1918 or bogon as in 
> not yet allocated / routed ?

We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!).  
I haven't bothered to check this out at the moment.  One would suppose the 
routers would blackhole the loopback traffic (or have a route to 
127.0.0.1), but no... :-)

> At 05:26 PM 25/09/2003, Mark Segal wrote:
> 
> >While cleaning the narchi virus icmp traffic.. I noticed a lot of tcp
> >traffic (it seems to be increasing) from spoofed address to bogon space?
> >Any ideas on what virus or worm this is?  Is it new?
> >
> >Regards,
> >Mark
> >
> >--
> >Mark Segal
> >Director, Network Planning
> >FCI Broadband
> >Tel: 905-284-4070
> >Fax: 416-987-4701
> >http://www.fcibroadband.com
> >
> >Futureway Communications Inc. is now FCI Broadband
> 

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

• Previous message (by thread): Increase in tcp traffic from spoofed source to bogon?
• Next message (by thread): Increase in tcp traffic from spoofed source to bogon?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]