Hello Eric,
First of all your ISP shouldnt be routing RFC1918 address spaces, however getting them
to do anything about it is usually an exercise in futility.
I see that you have implemented an ACL to block a few RFC1918 address spaces. You
probably will want to expand that to cover them all, as well as your OWN network (to
prevent spoofing).
As far as trying to see who was responsible, you will have to lodge a complaint with
your upstream provider, and supply them with a copy of your logfile complete with
timestamps and timezone info so that they can begin investigating.
Many times these attacks originate from DSL customers, so if you review your logs
closely you will see the ICMP attack interlaced with traffic from the customers DSL
router (which will have a registered IP address), usually on port 137,139 because they
got M$ boxes behind their DSL router and by default don't filter NETBEUI requests..
Cheers..
Marc..
>>> Eric Rozon <[EMAIL PROTECTED]> 02/09/01 08:26AM >>>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
