[nsp-sec] Constant scanning from the same /24 in AS4837
Gong, Yiming
yiming.gong at xo.com
Tue Sep 30 11:43:39 EDT 2008
> -----Original Message-----
> From: Chris Morrow [mailto:morrowc at ops-netman.net]
> are you seeing these from the interface in front of this
> subnet? or is
> this just 'my darknet too got scanned' ?
In my case, it is 'got scanned'. And I just took a look at the inIFindex
from the related netflow and it appears that the inIFs point back to the
bgp peers which propagate this 4837 subnet. So it is likely these are
not spoofed traffic.
> I ask, because most often this really is spoofed though I
> never did figure
> out why they spoof Chinese sources when they do messenger spams...
I guess probably China is famous for its loose of internet security
management and people won't doubt the validity when they get spam from
China.
Regards!
Yiming
More information about the nsp-security
mailing list