nanog mailing list archives

Re: port scanning from spoofed addresses

From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Fri, 4 Dec 2009 14:59:50 +0530

On Thu, Dec 3, 2009 at 10:35 PM, Matthew Huff <mhuff () ox com> wrote:

We are seeing a large number of tcp connection attempts to ports known to have security issues. The source addresses 
are spoofed from our address range. They are easy to block at our border router obviously, but the number and volume 
is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new 
normal? One of my concerns is that if others are seeing probe attempts, they will see them from these addresses and 
of course, contact us.

Any suggestions on what to do next? Or just ignore.


Filter it out and then ignore.   Might as well filter it out - see
http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-by.html

Current thread:

port scanning from spoofed addresses Matthew Huff (Dec 03)
- Re: port scanning from spoofed addresses Florian Weimer (Dec 03)
  - RE: port scanning from spoofed addresses Matthew Huff (Dec 03)
    - Re: port scanning from spoofed addresses Charles Wyble (Dec 03)
    - RE: port scanning from spoofed addresses Matthew Huff (Dec 03)
    - Re: port scanning from spoofed addresses Gregory Edigarov (Dec 04)
- RE: port scanning from spoofed addresses Stefan Fouant (Dec 03)
- Re: port scanning from spoofed addresses Suresh Ramasubramanian (Dec 04)