Everyone that's not going BCP38 or it's successors needs hit themselves in the face with a Mack truck.
----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Dennis Burgess" <[email protected]> To: [email protected] Sent: Tuesday, April 5, 2016 10:27:32 AM Subject: Re: [AFMUG] malicious activity reports Are you doing proper BCP 38 configuration, ensuring that you are not spoofing IP addresses? From: Af [mailto:[email protected]] On Behalf Of Ken Hohhof Sent: Tuesday, April 5, 2016 10:20 AM To: [email protected] Subject: Re: [AFMUG] malicious activity reports Sure it isn’t security-database.com? In any case, a lot of DDoS traffic is from spoofed IPs, so alerting the holder of the IP block probably isn’t very helpful. Are these customer or infrastructure IPs? If it was a server or router IP, I might check to see if maybe I was being used in an amplification attack. If it’s a customer IP, I wouldn’t just forward it to the customer without more investigation. I have never heard of securitydatabase.com before. I would pay more attention if the alert was coming from a corporation, university, or government IT department that had some credibility, or another ISP. From: Josh Reynolds Sent: Tuesday, April 05, 2016 10:06 AM To: [email protected] Subject: Re: [AFMUG] malicious activity reports You weren't kidding... Wow. I'd buy that. Wait, what's the question again? :) On Apr 5, 2016 10:04 AM, "That One Guy /sarcasm" < [email protected] > wrote: We have been receiving reports of our IPs being used in various malicious activity (ddos and whatnot). securitydatabase.com is the primary sender of the notifications. Their website is just some chic in a half shirt selling cheap security stuff, so its suspect to me whether these are legitimate complaints I should forward on to our customers -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
