<SNIPPAGE>
We're continuing the work the issue, and would be grateful if operators
would check for 40-byte spoofed TCP headed towards 198.133.219.25/32 and
trace/block it as warranted. Your patience and understanding are greatly
appreciated.Thanks!
-------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Roland,
Are these spoofed addresses from any range specifically in relation to the
'real' source address (ie, are they spoofing other IPs in the same subnet
or CIDR range, a specific known range, or just random routable addresses)?
I've run some netflow filters and have seen some traffic (very small
amounts) that could match the very simple 40-byte payloads to that /32
traversing out of a few customers' gear, but I was hoping to not have to
start digging into traffic to see if it originated in the 'right' places
if you already had any ideas. That said, I don't want to ignore the fact
it's not much traffic, since with enough zombied machines, a lot of 'trickles'
forms a flood!
Thanks,
Sean McPherson
nanog <@ is the at sign> seanmcpherson dotcom