Hello to ALL: I am a frequent reader of this list and contribute occasionally when I occasionally think I may have something of value to add.
I recently came across entries like the following in some firewall logs that a friend of mine asked me to take a look at: Source Address Destination Address Action 127.0.0.1 108.122.0.0 Drop 127.0.0.2 108.122.0.0 Drop 127.0.0.3 108.122.0.0 Drop . . . 127.0.0.255 108.122.0.0 Drop I believe that pattern this indicates strong evidence of an address spoofing attack of some kind. I know that 127.0.0.1 is the loopback address on TCP/IP hosts and that the 127.0.0.0/8 network is a reserved class A network. However, I had never came across the 108.122.0.0 network before so I did some research. I did a search on 102.122.0.0 and found the following link http://ftp.apnic.net/apnic/mailing-lists/bgp-stats/bgp-stats.archive.0009 from which I found the following information on the destination address: " Advertised IANA Reserved Addresses ---------------------------------- Network Origin AS Description 108.122.0.0/24 9847 Issan " I believe that pattern this is strong evidence of an address spoofing attack of some kind. I do have a couple question for the readers of this list: 1. Has anyone else seen this pattern before? 2. If so, does anyone have any more in depth knowledge of the details of this type of attack? In other words, what would a mischief maker be attempting to accomplish? What type of tool(s) would they be using to do this, etc? 3. Does anyone have any knowledge or information on exactly what the 108.122.0.0/24 network or Issan is? 4. Does this look like something that should be reported to the proper authorities? 5. Am I just overly paranoid? I have been accused of possessing that "quality". Thanks in advance. Pete Francois
