RE: CCO/ issues.


We're continuing the work the issue, and would be grateful if operators
would check for 40-byte spoofed TCP headed towards and
trace/block it as warranted. Your patience and understanding are greatly


Roland Dobbins <> // 408.527.6376 voice


Are these spoofed addresses from any range specifically in relation to the
'real' source address (ie, are they spoofing other IPs in the same subnet
or CIDR range, a specific known range, or just random routable addresses)?

I've run some netflow filters and have seen some traffic (very small
amounts) that could match the very simple 40-byte payloads to that /32
traversing out of a few customers' gear, but I was hoping to not have to
start digging into traffic to see if it originated in the 'right' places
if you already had any ideas. That said, I don't want to ignore the fact
it's not much traffic, since with enough zombied machines, a lot of 'trickles'
forms a flood!


Sean McPherson
nanog <@ is the at sign> seanmcpherson dotcom