[lug] port 220 progress

D. Stimits stimits at comcast.net
Wed Jan 21 22:43:27 MST 2004


Nate Duehr wrote:

>
> On Wednesday, Jan 21, 2004, at 19:00 America/Denver, D. Stimits wrote:
>
> > I still plan to completely overhaul everything here, I really don't
> > like all the problems I've had finding this. And someone out there is
> > still spoofing me and I don't think I can do anything about it. I'm
> > going to be reinstalling some machines in need of KRUD 9 anyway, maybe
> > I'll test a Debian install on one as well. I'm thinking of also
> > upgrading the bridge to use MAC addresses, and then in addition to MAC
> > address filtering, having it *also* filter by IP.
>
>
> You should definitely report this spoofing traffic to your ISP.  If they
> were doing proper ingress and egress filtering, you'd never have seen
> that spoofed address from anywhere other than your local LAN.  They
> should be aware that their configuration is allowing someone to do this
> using your IP address.

The high traffic of comcast cable was mentioned, and he wasn't 
exaggerating any. When I go to use tcpdump on the hostile side of the 
bridge, it is massive, I have to use grep or awk, since I don't know 
enough about narrowing down output with just tcpdump (although I did use 
some filters to exclude a lot of things, I find complex filters 
difficult in tcpdump).

Once I get things at this end rebuilt I will dig in more and find out 
who it is. It is nice to know though that the reason I couldn't find the 
local process or inbound hit was because it wasn't on the demilitarized 
side of the bridge, it was spoofed from outside...on 4 different IP's. 
The traffic at the cable modem itself is from an enormous number of 
machines, it is quite a different beast from normal LANs.

D. Stimits, stimits AT comcast DOT net




More information about the LUG mailing list