port scanning from spoofed addresses

Matthew Huff mhuff at ox.com
Thu Dec 3 11:53:04 CST 2009

The source address appears to be fixed as well as the source port (6666), scanning different destinations and ports.

Matthew Huff       | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139

-----Original Message-----
From: Florian Weimer [mailto:fweimer at bfk.de] 
Sent: Thursday, December 03, 2009 12:35 PM
To: Matthew Huff
Cc: (nanog at nanog.org)
Subject: Re: port scanning from spoofed addresses

* Matthew Huff:

> We are seeing a large number of tcp connection attempts to ports
> known to have security issues. The source addresses are spoofed from
> our address range. They are easy to block at our border router
> obviously, but the number and volume is a bit worrisome. Our
> upstream providers appear to be uninterested in tracing or blocking
> them. Is this the new normal? One of my concerns is that if others
> are seeing probe attempts, they will see them from these addresses
> and of course, contact us.

What's the distribution of the source addresses and source ports?

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the NANOG mailing list