[members-discuss] What to do

On 23/11/2011, at 11.09, Comunicaciones ACOTELSA wrote:

> Our prefix is 178.19.32.0/21 and the attack was to all the range of IP. We have detected four different attacks in the last 48 hours, from different networks or RIRs. The source was from Chinesse (three of them) and USA (the last).
> 
> All the attack was with packets from the 80 tcp port to the 80 tcp port so it could be from zombie web servers.
> 
> Now, we are alerting and we will inform you about any new problem.

Hi

Traffic initiated FROM port 80 is very uncommon and you should be able to filter out these very easily using stateless ACL filters
on your edge router, or certainly on your firewall.

Normal HTTP traffic from clients - browser to server - is from high ports and then to port 80 on the server, like
(source ip, source port, destination ip, destination port, protocol)

(IP 91.102.xx.18, source port 22101, destination IP 91.102.xx.17, destination port 80, protocol tcp)


I can highly recommend the http://www.team-cymru.org/ site and their tools, such as the 
secure templates, like the Cisco IOS one http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html



Best regards

Henrik, abuse handler at AS12617
--
Henrik Lund Kramshøj, Follower of the Great Way of Unix
hlk at kramse.org hlk at solidonetworks.com 
+45 2026 6000 cand.scient CISSP CEH
http://solidonetworks.com/ Network Security is a business enabler