Is anyone else seeing backscatters on your network about windowsupdate.com's IP?
Someone who transits through 65.123.21.137 router is sending out lots of packets
to 204.79.188.11 (windowsupdate.com) in which its not currently advertised to
internet as we speak. Not to mention, packets seem to be source-spoofed to
65.124.16.0/21 (our block), causing backscatter from 65.123.21.137 to our
network...
Any ideas/or anyone seeing similar effect? Is someone who is administrative to
Qwest Communications WASH01-WAN-65-123-21 (NET-65-123-21-0-1) aware of this may
be? It looks like a Qwest customer CPE router to me but I dunno..
Yes, we are starting to see this as well. We are filtering at the edge, so the bogus packets are not getting out.
We have a /19 of 64.7.128.0/19 and 64.7.229.241 is totally bogus for our network.
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.229.241:1069 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.39.113:1904 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.105.240:1739 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.235.113:1178 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.46.113:1014 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.111.240:1849 204.79.188.11:80 out via fxp1
Aug 14 21:59:17 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.176.240:1685 204.79.188.11:80 out via fxp1