The source address appears to be fixed as well as the source port (6666), scanning different destinations and ports.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -----Original Message----- From: Florian Weimer [mailto:fwei...@bfk.de] Sent: Thursday, December 03, 2009 12:35 PM To: Matthew Huff Cc: (nanog@nanog.org) Subject: Re: port scanning from spoofed addresses * Matthew Huff: > We are seeing a large number of tcp connection attempts to ports > known to have security issues. The source addresses are spoofed from > our address range. They are easy to block at our border router > obviously, but the number and volume is a bit worrisome. Our > upstream providers appear to be uninterested in tracing or blocking > them. Is this the new normal? One of my concerns is that if others > are seeing probe attempts, they will see them from these addresses > and of course, contact us. What's the distribution of the source addresses and source ports? -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
