[nsp-sec] TCP 445 scanning from unadvertised prefix

[sthaug at nethelp.no]

I discovered on a couple of our border routers that we are being TCP
445 scanned from the following address:

    192.21.100.243

which is not in our routing tables, or for that matter route-views.

For extra fun, looking up the RIPE inetnum object gives this "slightly"
large object:

inetnum:        93.169.24.0 - 193.169.25.255
netname:        CENTRSVYAZ-NET
descr:          Centrsvyaz CJSC
country:        RU
org:            ORG-CC43-RIPE
admin-c:        VIP10-RIPE
tech-c:         VIP10-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         MNT-CENTRSVYAZ
mnt-routes:     MNT-CENTRSVYAZ
mnt-domains:    MNT-CENTRSVYAZ
changed:        hostmaster at ripe.net 20090515
source:         RIPE

(the missing "1" is rather obvious)

Since the prefix isn't advertised, we drop this on our border routers.
But definitely something to be on the lookout for...

Steinar Haug, AS 2116