Are you doing proper BCP 38 configuration, ensuring that you are not spoofing IP addresses?
From: Af [mailto:[email protected]] On Behalf Of Ken Hohhof Sent: Tuesday, April 5, 2016 10:20 AM To: [email protected] Subject: Re: [AFMUG] malicious activity reports Sure it isn’t security-database.com? In any case, a lot of DDoS traffic is from spoofed IPs, so alerting the holder of the IP block probably isn’t very helpful. Are these customer or infrastructure IPs? If it was a server or router IP, I might check to see if maybe I was being used in an amplification attack. If it’s a customer IP, I wouldn’t just forward it to the customer without more investigation. I have never heard of securitydatabase.com before. I would pay more attention if the alert was coming from a corporation, university, or government IT department that had some credibility, or another ISP. From: Josh Reynolds<mailto:[email protected]> Sent: Tuesday, April 05, 2016 10:06 AM To: [email protected]<mailto:[email protected]> Subject: Re: [AFMUG] malicious activity reports You weren't kidding... Wow. I'd buy that. Wait, what's the question again? :) On Apr 5, 2016 10:04 AM, "That One Guy /sarcasm" <[email protected]<mailto:[email protected]>> wrote: We have been receiving reports of our IPs being used in various malicious activity (ddos and whatnot). securitydatabase.com<http://securitydatabase.com> is the primary sender of the notifications. Their website is just some chic in a half shirt selling cheap security stuff, so its suspect to me whether these are legitimate complaints I should forward on to our customers -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
