[Dshield] Unusual snort traffic

John Sage jsage at finchhaven.com
Mon Nov 12 02:32:56 GMT 2001


Stephen:

<blush>
It was total luck...
</blush>

Actually there have been a few time when I've tried IP addresses 
adjacent to a suspect IP that, as in this case, responds with a 
"connection refused".

In this case I was intrigued by the fact that he (Eric Lindvall) had 
only 209.221.176.0 - 209.221.176.15 assiged to him, so when you take out 
the network and broadcast IP's he's got - what? - 14 to work with?

It wouldn't have taken long to plug each of 'em into a web browser 
one-by-one and see what popped up; I went downward first and *bingo*

If you contact netscan.org it'd be interesting to hear what they have to 
say...

- John



Chan, Stephen (TIS, Singapore) wrote:

> Holy Netscans Batman! That is a mighty fine piece of investigative legwork.
> *Hats off*
> Thanks for the detailed followup John :-) I did conduct my own digging
> around, but got nowhere as detailed as you got.
> 
> I doubt if my network is a 'smurf amplifier' but might be a good idea to run
> the netscan on myself...
> 
> 
> Thanks again
> 
> 
> -----Original Message-----
> From: John Sage [mailto:jsage at finchhaven.com]
> Sent: Sunday, November 11, 2001 12:28 PM
> To: dshield at dshield.org
> Cc: stephen_chan at sg.ml.com
> Subject: Re: [Dshield] Unusual snort traffic
> 
> 
> Stephen:
> 
> <long, but maybe worth it...>


<snip>




More information about the list mailing list