Security Incidents mailing list archives

RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)

From: "Fitzgerald, John" <John.Fitzgerald () petro-canada com>
Date: Wed, 5 Feb 2003 09:51:14 -0000


Whoops - I was transposing my email threadz .... sorry about that

Hey but I wish we could give the ISPs an incentive to filter or at least
enforce strict source address validation at ingress to the Internet

Sorry again

John

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: 03 February 2003 19:05
To: Joel Tyson
Cc: Incidents Mailing List
Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80
with spoofed microsoft.com ip) 


On Mon, 03 Feb 2003 10:40:02 EST, Joel Tyson <jtyson () pa eplus com>  said:

The best way to handle these types of packets would be to route them to a
null0 interface.  This way the packets will be dropped without icmp

response.

Typically all ISP should have these ACL's configured on their border

routers;

but they don't.


There's not much financial incentive for many ISPs to filter - when you're
billing based on traffic volume, you don't really want all those probes to
go away.  So what if 20% of the traffic is probes?  That's 20% more income
for the provider, and many providers are in a financial crunch - that 20%
may be all that's keeping them afloat.  As long as they don't get burned by
an SQL worm that takes out their infrastructure too, why should the filter?

/Valdis (who is having a more-cynical-than-usual day)

            ***********************
This email communication is intended as a private communication for the sole use of the primary addressee and those 
individuals listed for copies in the original message. The information contained in this email is private and 
confidential and if you are not an intended recipient you are hereby notified that copying, forwarding or other 
dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized 
to receive this email and if you believe that you received it in error please notify the original sender immediately.  
We honour similar requests relating to the privacy of email communications.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip) Tom Arseneault (Feb 05)
- <Possible follow-ups>
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip) Fitzgerald, John (Feb 05)
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip) Fitzgerald, John (Feb 05)