Out of curiosity.
How many of your scans come from hijacked IP space?
On Dec 29, 2003, at 6:47 AM, [EMAIL PROTECTED] wrote:
Recently (this year...) I've noticed increasing number of ip range
scans
of various types that envolve one or more ports being probed for our
entire ip blocks sequenti
[EMAIL PROTECTED] said:
> So I'm wondering what are others doing on this regard?
One of the more effective ways to deal with this would be to request that
upstream(s) null-route your aggregate until the attack subsides.
--Tk
My router is set up to send me daily reports of IP addresses that hit
the port 137-139 block more than 1000 times a day. The sources are
all over the place, including a lot of IANA reserved address space
that Sprint and my ISP should be filtering upstream, but a lot of the
scans are from hosts on
[EMAIL PROTECTED] writes:
> Recently (this year...) I've noticed increasing number of ip range scans
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially. At first I attributed all this to various
> windows viruses, but I did some logging with
On Mon, 29 Dec 2003 [EMAIL PROTECTED] wrote:
> Recently (this year...) I've noticed increasing number of ip range scans
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially. At first I attributed all this to various
What ports are being probed
[.. SNIP ..]
> The problem is these are random scans, the traffic is going to ips that
> are not used and never were. They're clearly a random sequential scans.
In this particular case, null-routing your aggregate is your friend. Or get a
sink hole and suck down all the !traffic to it. Please,
BTW - By my tests it appears I'm being scanned by unix hosts between 500
to 1000 times per day! I don't know, maybe it seems a low number for some
of you, but I'm not at all happy about it.
--
William Leibzon
Elan Networks
[EMAIL PROTECTED]
On Mon, 29 Dec 2003, Abdullah Hameed Sheikh wrote:
> There are two types of network: Enterprise and Service Provider.
I kind of have both types. I call them unmanaged and managed. For certain
ip blocks (always larger then /24) all traffic is passing through linux
firewall with multiple vlans &
On Mon, 2003-12-29 at 06:47, [EMAIL PROTECTED] wrote:
> Recently (this year...) I've noticed increasing number of ip range scans
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially.
You're lucky. I've been watching this slowly ramp up for the l