[nsp-sec] Ongoing attack against 95.172.6.178

[Smith, Donald]

I looked for the 95 address for the 19th and 20th and saw no packets.
That is probably a good indication that this is spoofed since we have a fairly compete bcp38 deployment.

(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> David Freedman
> Sent: Saturday, March 20, 2010 9:26 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Ongoing attack against 95.172.6.178
>
> ----------- nsp-security Confidential --------
>
> There has been a mid/low level TCP SYN attack against this
> host for the past
> few days, it has increased somewhat today, the original targets were
>
> 109.109.253.242
> 109.109.253.243
> 109.109.253.244
> 109.109.253.245
> 109.109.253.246
>
> Since the customer switched the service to only 95.172.6.178
> two days ago,
> the attack has moved to this destination.
>
> Would be greatful if anybody could look for flows.
>
> Dave.
>
> ------------------------------------------------
> David Freedman
> Group Network Engineering
> Claranet Limited
> http://www.clara.net
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.