This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/members-discuss@ripe.net/
[members-discuss] What to do
- Previous message (by thread): [members-discuss] What to do
- Next message (by thread): [members-discuss] What to do
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Henrik Kramshøj Solido NOC abuse
noc at solido.net
Wed Nov 23 11:16:45 CET 2011
On 23/11/2011, at 11.09, Comunicaciones ACOTELSA wrote: > Our prefix is 178.19.32.0/21 and the attack was to all the range of IP. We have detected four different attacks in the last 48 hours, from different networks or RIRs. The source was from Chinesse (three of them) and USA (the last). > > All the attack was with packets from the 80 tcp port to the 80 tcp port so it could be from zombie web servers. > > Now, we are alerting and we will inform you about any new problem. Hi Traffic initiated FROM port 80 is very uncommon and you should be able to filter out these very easily using stateless ACL filters on your edge router, or certainly on your firewall. Normal HTTP traffic from clients - browser to server - is from high ports and then to port 80 on the server, like (source ip, source port, destination ip, destination port, protocol) (IP 91.102.xx.18, source port 22101, destination IP 91.102.xx.17, destination port 80, protocol tcp) I can highly recommend the http://www.team-cymru.org/ site and their tools, such as the secure templates, like the Cisco IOS one http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html Best regards Henrik, abuse handler at AS12617 -- Henrik Lund Kramshøj, Follower of the Great Way of Unix hlk at kramse.org hlk at solidonetworks.com +45 2026 6000 cand.scient CISSP CEH http://solidonetworks.com/ Network Security is a business enabler
- Previous message (by thread): [members-discuss] What to do
- Next message (by thread): [members-discuss] What to do
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]