[lug] how to track forged packets in a virus spoof

[Mr Viggy]

Interesting you should mention filtering.  When I asked my ISP what a 
"VPN safe static IP address" was, they told me that they would "remove" 
all the filters from my IP.

At the time I didn't think anything of it.  But now I'm thinking that 
perhaps my ISP performs this filtering you speak of (they certainly 
don't filter incomming crap; I get scanned and probed ALL the time).

Viggy

Nate Duehr wrote:
> D. Stimits wrote:
> 
>> I'm running into a case of this new sobig.f virus not only forging 
>> headers, but also forging the dotted decimal IP address. I verified 
>> this with a DoD facility responsible for the dotted decimal IP address 
>> of origination that is showing up on all these virus notices that 
>> occur when virus scanners send out reject notices. After talking to 
>> their guy there I am convinced this virus is going well beyond normal 
>> means, that actual packet mucking has gone on here to disguise its 
>> origins. Is there any way to track something that is both header 
>> forged and packet forged?
>>
>> D. Stimits, stimits AT comcast DOT net
> 
> 
> Not easily.
> 
> Any ISP who is allowing packets OUTBOUND from their network that are in 
> ranges they don't own should be tarred and feathered.  :-)
> 
> Oops... did I say that?  Sorry...
> 
> Seriously though... ISP's should all have egress filters to stop IP 
> spoofing stuff.  Some don't.
> 
> Having those ISP's around is like having the bad neighbors with twelve 
> dead cars on the lawn on cinder blocks, and the grass that's six feet high.
> 
> But... asking someone to regulate that is like asking for the evil 
> homeowner's association do-gooders, with nothing better to do than 
> measure your grass with a micrometer every day, to come take over your 
> neighborhood.
> 
> Neither is a good proposition... so we'll hang out here in the middle.  ;-)
>