North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: address spoofing
Perhaps ICMP Fragmentation Needed, and more frequently, ICMP Unreachables and Time-Exceeded or the like coming from private addressed devices. I'd wager that if you modified your filters to differentiate ICMP and IP, it'd heavily lean towards ICMP error type stuff... -danny > first, apologies for bringing up an operational issue. > > a long while back, i noticed my border filters were showing incoming > packets from 1918 addresses and my own address blocks. i wrote this off > to anomalies and did not have the time to pursue. > > yesterday, i happened to notice it again. i described it on an internal > mailing list. other folk looked at their filters, and lo and behold, it > is a widespread problem. > > fyi, my filter looks like the following: > > ! what we allow to come in the serials from the world > no access-list 105 > ! PSGnet > access-list 105 deny ip 147.28.0.0 0.0.255.255 any > access-list 105 deny ip 192.83.230.0 0.0.0.255 any > access-list 105 deny ip 198.133.206.0 0.0.0.255 any > ! rfc1918 > access-list 105 deny ip 127.0.0.1 0.255.255.255 any > access-list 105 deny ip 10.0.0.0 0.255.255.255 any > access-list 105 deny ip 172.16.0.0 0.15.255.255 any > access-list 105 deny ip 192.168.0.0 0.0.255.255 any > ! block portmapper and nfsd attacks > access-list 105 deny udp any any eq sunrpc > access-list 105 deny tcp any any eq 2049 > ! block samba > access-list 105 deny tcp any any eq 137 > access-list 105 deny tcp any any eq 138 > access-list 105 deny tcp any any eq 139 > ! > ! some other stuff > ! allow all others > access-list 105 permit ip any any > > the results of 30 hours of running are > > deny ip 147.28.0.0 0.0.255.255 any (6 matches) > deny ip 192.83.230.0 0.0.0.255 any > deny ip 198.133.206.0 0.0.0.255 any > deny ip 127.0.0.0 0.255.255.255 any (375 matches) > deny ip 10.0.0.0 0.255.255.255 any (593 matches) > deny ip 172.16.0.0 0.15.255.255 any (201 matches) > deny ip 192.168.0.0 0.0.255.255 any (769 matches) > deny udp any any eq sunrpc (9 matches) > deny tcp any any eq 2049 (494 matches) > deny tcp any any eq 137 > deny tcp any any eq 138 > deny tcp any any eq 139 > permit ip any any (9467763 matches) > > when we tried it on routers in different parts of the network, it seemed > to show similar patterns. > > anyone have clues other than net slime and misconfigured nats? > > randy >
|