Tracking stealth portscan/pepsi attacks
Tue Aug 31 13:24:37 CEST 1999
Dear colleagues, there seems to have been quite a wash of stealth portscans and/or pepsi attacks lately (stealth portscan: you portscan with 99% of the sender addresses faked, but your own are among them; pepsi: "only" a DoS attack, you don't bother hiding your own address in the random sender flood, both of course UDP). cybercity.dk must have been seeing some of these attacks pass, first glance judging from http://stat.cybercity.dk/ripe/ and the fallout in de.xlink (where I positively know the addresses not to be routed) and de.zz (where most of the address space is handled by RIPE nowadays). Also my private machine at home has been attacked over several days, much good it did them, but that makes it a personal axe to grind :-> Besides, lots of people who admin firewalls don't necessarily expect such stealth attacks to happen and complain to all the owners of the faked addresses about the port scans, thus generation additional workload on the abuse people. I'd like to have a chance to catch the perpetrators. This would need to be a multi-provider cooperation in the majority of cases. Do we have an appropriate forum to discuss this at the next RIPE meeting? kind regards, Petra Zeidler -- i.A. Petra Zeidler, Neukundenanschluss Xlink Internet Service GmbH [X] zeidler at xlink.net [X] Tel: 0721/9652-220 [X] Fax: 0721/9652-209 [X] Geschaeftsfuehrer: Michael Rotert. Amtsgericht Karlsruhe HRB 8161. [X] Auftraege erledigen wir zu unseren Allgemeinen Geschaeftsbedingungen.
[ lir-wg Archive ]