[H-GEN] Network Nasties

Opec Kemp okemp at ozemail.com.au
Tue Feb 29 17:55:42 EST 2000 

[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics.  Please observe the list's charter.          ]

While we're on this "strange" IP subject,
There is a really good article on how to filter out any spoofed IP address
to be send out
from your network to someone elses. i.e. stop someone doing a spoof attack
(DDOS etc) from your network:

http://www.sans.org/y2k/egress.htm

Makes an interesting read.


>
> [ Humbug *General* list - semi-serious discussions about Humbug and ]
> [ Unix-related topics.  Please observe the list's charter.          ]
>
> We have been filtering some wierd packets on our permanent modem (ppp)
> connections to our ISP (who shall remain nameless). We have two separate
> problems on which I hope fellow listers can comment.
>
> Number one is that we are getting connection attempts from packets with
> presumably spoofed source addresses which are within the private address
> range, vis:
>
> Feb 29 16:01:16 firewall.ussbris kernel: Packet log: input DENY
> ppp0 PROTO=1
> 192.168.16.129:3 203.108.63.250:4 L=56 S=0x00 I=23245 F=0x0000 T=56 (#17)
>
> and
>
> Feb 27 15:26:35 firewall.ussbris kernel: Packet log: input DENY
> ppp0 PROTO=6
> 10.9.1.66:80 203.108.63.250:63223 L=305 S=0x00 I=15355 F=0x4000
> T=236 (#15)
>
> 203.108.63.250 is our address.
>
> Shouldn't these source addresses be rejected by the ISP routers?
> If they are
> not then I guess the other conclusion is that they are originating from
> inside the ISP's network. I am very sure that they are not coming from our
> internal network. I have sent the logs to the ISP security
> people, but it is
> too early to expect a response at this stage.
>
> Number two is that we keep getting route connection attempts from the ISP
> end of another ppp link, vis:
>
> Feb 29 14:00:19 firewall.wa kernel: Packet log: input DENY ppp0 PROTO=17
> 203.108.225.15:520 203.108.45.207:520 L=52 S=0x00 I=17772 F=0x0000 T=30
> (#44)
>
> 203.108.255.15 is the ISP network side of the ppp link, and 203.108.45.207
> is our side of the link. Kinda wierd, because we do not (and
> never have) use
> the route service; our routing arrangements are very simple and
> all static.
> Is it possible the there is a router/terminal server configuration problem
> here? We have contacted our ISP technical people about it, but it
> all seems
> to go to /dev/null.
>
> Any comments or advice will be most appreciated.
>
> Cheers
> Geoff Everist
>
> --
> * This is list (humbug) general handled by majordomo at lists.humbug.org.au .
> * Postings to this list are only accepted from subscribed addresses of
> * lists 'general' or 'general-post'.
>


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list