Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
Alan, I think you misrember. And looking at www.striker.ottawa.on.ca just
now, I see you've been subject to reverse ping floods as well.
Not surprisingly, you're missing a key point of information. This
leads you to erroneous conclusions.
FYI: At one point, I added FW rules to the box so that port 25 was
open for 5 of my closest friends, and would send ICMP Port
unreachables to everyone else. While this may not have been the best
thing to do, it caught many idiots.
"port unreachable" != "reverse ping flood"
These happen when people send pings with your IP address as the ICMP
source IP address. That's why you get people calling up and saying
"your machine is attacking me".
Port unreachables are sent when their SMTP server tries to connect
to mine. The flood of SMTP sessions from compromised boxes leads to
floods of returning "go away" messages from my box. If they're
idiots, they quickly conclude that I'm attacking them.
This has happened not once, not twice, but multiple times. In every
case, I was in contact with the admins of the compromised box, and
once I convinced them to turn off SMTP, the spam delivery attempt
stopped, and therefore the ICMP messages from my box stopped.
And once they fixed the problem, it didn't re-occur from their site.
But in fact, those packets originate from the botnet machines.
In fact, you're wrong. The packets in question originated from MY
machine. I know this, you don't.
Please stop, Dean. It's embarrassing.