I tell ya, what really gets me in a bad mood is when my PIX logs
show the same IP address hitting port 80 on 25 different IP's
and the time line is 2 seconds start to finish.
And then you report it, and it continues after a week every single day.
Substitute port 80 here with 1433, 139,135, and on and on..
When a Syslog trap with a NTP sync time base and the entire log is not good
enough, I don't know what is....
Yesterday, I got word from a network operator that 50 entries was not sufficient.
So I parsed 4 days's worth and sent them over 1200 messages from their block..
have not heard back yet..
With a syslog file, sometimes an IDSLog and a Syslog.
Some ISP's either /dev/null all of it, or they can't stop their users
or politics stop 'em..
Yesterday, I got word from a network operator that 50 entries was not sufficient.
So I parsed 4 days's worth and sent them over 1200 messages from their block..
have not heard back yet..
I love the operators who deny the ip block belongs to them, so you send
them back a whois with the appropriate bits underlined.
This happens a *lot* with tier1's, who really should know better.
Some ISP's either /dev/null all of it, or they can't stop their users
or politics stop 'em..
With a lot of providers the official policy is to let the user do whatever
they want as long as the check doesnt bounce and as long as a police
officer doesnt arrive on the doorstep with a subpoena.
But boy do they make a stink when people blackhole them!
I tell ya, what really gets me in a bad mood is when my PIX logs show the same IP address hitting port 80 on 25 different IP's
and the time line is 2 seconds start to finish.
Yesterday, I got word from a network operator that 50 entries was not sufficient.
So I parsed 4 days's worth and sent them over 1200 messages from their block..
have not heard back yet..
Well, if you find out, let me know. On Apr 2 we had (among others):
101233 hits on 445 from 203 sources,
43465 hits on 139 from 218 sources,
14399 hits on 80 from 1922 sources,
12106 hits on 21 from 6 sources,
etc.
And we would barely qualify as a "small" operation...
Then we have the nutcases than scan a dozen or so proxy ports per host on a /17 netblock (APNIC source space, usually).
Unless its a DoS and in the millions, I wonder how many outfits still give a flying fornication at a cyclically motivated glazed pastry anymore.
I tell ya, what really gets me in a bad mood is when my PIX logs
show the same IP address hitting port 80 on 25 different IP's
and the time line is 2 seconds start to finish.
And then you report it, and it continues after a week every single day.
Substitute port 80 here with 1433, 139,135, and on and on..
When a Syslog trap with a NTP sync time base and the entire log is not good
enough, I don't know what is....
Yesterday, I got word from a network operator that 50 entries was not sufficient.
So I parsed 4 days's worth and sent them over 1200 messages from their block..
have not heard back yet..
How was this traffic causing harm to your network? I'd rather have them
dealing with people actively breaking into systems, DoS'ing, etc than
terminating some customer who's probably infected with the latest
microsoft worm.
How was this traffic causing harm to your network? I'd rather have them
dealing with people actively breaking into systems, DoS'ing, etc than
terminating some customer who's probably infected with the latest microsoft worm.
Worm control is important. If we let them run rampant, then they will build up to a critical mass and become DOS quality. One of my transit customers was ignoring the worm reports I was sending him. Interesting enough, he DOS'd his own routers as several of the people infected were behind NAT generating 11,000 connections in less than a minute. Ever seen a C3640 with 11,000 NAT translations? In this case, it's a customer that didn't have high end equipment. If he'd had high end equipment, then others would suffer the performance hit, not to mention extra noise making it harder to detect purposeful scans and attacks. Some worms, like Code Red, cause a DOS on web enabled equipment as well. The F variant, for example, will shut down Net2Net dslams, some cisco equipement, and I'm sure a lot of other things.