[nsp-sec] TCP Flood to 2.1.4.245

[Rob Shakir]

Hi nsp-sec,

This afternoon we saw some odd traffic towards one of the RIPE NCC's  
de-bogonising prefixes (2.1.0.0/21), and in particular 2.1.4.245/32  
within this. The traffic looked to be from spoofed sequential sources,  
and was 650 byte TCP packets with randomised source and destination  
ports (approximately uniform distribution of src/dst port pairs).

We mitigated this by ceasing to transit _12654_ at the current time --  
however, I'd be very interest if anyone else saw similar traffic, and  
if there are any pointers to the sources. We saw this attack ingress  
over our upstream providers.

I haven't managed to speak to anyone at RIPE about what they saw yet,  
but am happy to assist with any debug if anyone else is pursuing this.

Kind regards,
Rob


-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html