[lug] port 220 progress
D. Stimits
stimits at comcast.net
Wed Jan 21 22:43:27 MST 2004
Nate Duehr wrote:
>
> On Wednesday, Jan 21, 2004, at 19:00 America/Denver, D. Stimits wrote:
>
> > I still plan to completely overhaul everything here, I really don't
> > like all the problems I've had finding this. And someone out there is
> > still spoofing me and I don't think I can do anything about it. I'm
> > going to be reinstalling some machines in need of KRUD 9 anyway, maybe
> > I'll test a Debian install on one as well. I'm thinking of also
> > upgrading the bridge to use MAC addresses, and then in addition to MAC
> > address filtering, having it *also* filter by IP.
>
>
> You should definitely report this spoofing traffic to your ISP. If they
> were doing proper ingress and egress filtering, you'd never have seen
> that spoofed address from anywhere other than your local LAN. They
> should be aware that their configuration is allowing someone to do this
> using your IP address.
The high traffic of comcast cable was mentioned, and he wasn't
exaggerating any. When I go to use tcpdump on the hostile side of the
bridge, it is massive, I have to use grep or awk, since I don't know
enough about narrowing down output with just tcpdump (although I did use
some filters to exclude a lot of things, I find complex filters
difficult in tcpdump).
Once I get things at this end rebuilt I will dig in more and find out
who it is. It is nice to know though that the reason I couldn't find the
local process or inbound hit was because it wasn't on the demilitarized
side of the bridge, it was spoofed from outside...on 4 different IP's.
The traffic at the cable modem itself is from an enormous number of
machines, it is quite a different beast from normal LANs.
D. Stimits, stimits AT comcast DOT net
More information about the LUG
mailing list