[members-discuss] What to do

in order to figure out wether the source addresses are spoofed, just look 
at the ttl of the incoming packets, -even if they are different- trigger 
the box at the other end to send you a packet (icmp echo-reply, tcp 
reject, something like that), and then ofcourse the ttl on the packet you 
made it send by your self, should be more or less the same as the ttl on 
the incoming packets from that host.

(as usually, the source ip is spoofed)...


if the source ip is -not- spoofed... the procedure is quite simple, you 
pick up the phone and you call the noc of the originating networks and 
tell them to fix the issue :P


-- 
Greetings,

Sven Olaf Kamphuis,
CB3ROB Ltd. & Co. KG
=========================================================================
Address: Koloniestrasse 34         VAT Tax ID:      DE267268209
          D-13359                   Registration:    HRA 42834 B
          BERLIN                    Phone:           +31/(0)87-8747479
          Germany                   GSM:             +49/(0)152-26410799
RIPE:    CBSK1-RIPE                e-Mail:          sven at cb3rob.net
=========================================================================
<penpen> C3P0, der elektrische Westerwelle
http://www.facebook.com/cb3rob
=========================================================================

Confidential: Please be advised that the information contained in this
email message, including all attached documents or files, is privileged
and confidential and is intended only for the use of the individual or
individuals addressed. Any other use, dissemination, distribution or
copying of this communication is strictly prohibited.


On Tue, 22 Nov 2011, Markel Stefo wrote:

> I Saludos,
>
> Being a young lir I am not sure what the procedure should be but we would certianly appriciate, at least myself, to know what the IP causing the attack is or range therfore.
>
> Thanks in advance,
> Markel Stefo
> IP Core Network Administrator
> Plus Communicaction
>
> PS:Sorry to the list
>
> -----Original Message-----
> From: members-discuss-bounces at ripe.net [mailto:members-discuss-bounces at ripe.net] On Behalf Of Comunicaciones ACOTELSA
> Sent: Tuesday, November 22, 2011 4:41 PM
> To: members-discuss at ripe.net
> Subject: [members-discuss] What to do
>
> Hi all.
>
> We have detected a DoS from IP of APNIC, from China.
>
> Are there a procedure to inform APNIC or RIPE about the problem or the only
> way is inform to the WHOIS contact?
>
> Thanks in advance.
>
>
> Saludos...
>
> ===========================================
> Luis Ángel Lozano Aparicio
> Comunicaciones y Seguridad
> Grupo Acotel
> e-mail: comunicaciones at acotelsa.com
> ------------------------------------------
> Tlf: 983 440274  - 902 194273 Fax:983 548220
> Oficina 201 - Edificio Galileo, módulo Rojo
> Parque Tecnológico de Boecillo
> 47151 Boecillo (Valladolid) - España
> ===========================================
>
>
>
>
>
> Protección de Datos: ACOTELSA le informa de que los datos facilitados por Ud. y utilizados para el envío de esta comunicación serán objeto de tratamiento automatizado o no en nuestros ficheros, con la finalidad de gestionar la agenda de contactos de nuestra empresa y para el envío de comunicaciones profesionales por cualquier medio electrónico o no. Vd. podrá en cualquier momento ejercer el derecho de acceso, rectificación, cancelación y oposición en los términos establecidos en la Ley Orgánica 15/1999. El responsable del tratamiento es ACOTELSA, con domicilio en Ronda de Poniente, 3 bajo, 28760 Tres Cantos, Madrid.
>
> Confidencialidad El contenido de esta comunicación, así como el de toda la documentación anexa, es confidencial y va dirigido únicamente al destinatario del mismo. En el supuesto de que usted no fuera el destinatario, le solicitamos que nos lo indique y no comunique su contenido a terceros, procediendo a su destrucción. Gracias.
>
> Confidenciality The content of this communication and any attached information is confidential and exclusively for the use of the addressee. If you are not the addressee, we ask you to notify to the sender and do not pass its content to another person, and please be sure you destroy it. Thank you.
>
>
>
> ----
> If you don't want to receive emails from the RIPE NCC members-discuss
> mailing list, please log in to your LIR Portal account and go to the general page:
> https://lirportal.ripe.net/general/view
>
> Click on "Edit my LIR details", under "Subscribed Mailing Lists". From here, you can add or remove addresses.
>
> ----
> If you don't want to receive emails from the RIPE NCC members-discuss
> mailing list, please log in to your LIR Portal account and go to the general page:
> https://lirportal.ripe.net/general/view
>
> Click on "Edit my LIR details", under "Subscribed Mailing Lists". From here, you can add or remove addresses.
>