[Dshield] Ping Problems

keithtarrant@spamcop.net keithtarrant at spamcop.net
Mon Nov 4 05:44:24 GMT 2002


Don't worry about him Jim.  To some people if it isn't illegal it is okay.
And some people find implementing and monitoring computer security, new
people, and the Internet, b o r i n g.

You're being a good guy letting Internap Network Services know they have
an Internet related problem, and that is a big part of what DShield is
about.

You could check the source IP on www.dshield.org and see if anyone else is
getting pinged or probed by them.

Either someone is spoofing Internap Network Services IP address, or
Internap Network Services has a system that is malfunctioning.  Either
way, Internap Network Services should be concerned.  (Not to say a
glorified telephone attendant at Internap Network Services will care, but
the company and its real IT and admin staff and management will.)  -- A
malfunction is *sometimes* a symptom of having been hacked.  I'm sure it
wasn't designed to ping you.  Their entire system may be fully
compromised.  Or it might be a typo on a line of code.  Without an
investigation who knows.  So they'll want to check it out.

You don't say how you contacted them.  I'd email both of these separately,
so they don't assume someone else will take care of it.
security at internap.com
abuse at internap.com
Of course these are from:
http://www.internap.com/contact/index.html
Don't expect 24 hour service on a weekend, especially if your subject line
doesn't get their attention.  From their website they aren't someone in a
basement with nothing else to do.

Put your email in terms of their interests:  I would mention the
likelihood that one of their systems has been compromised or is
malfunctioning in the subject line.  (If someone is spoofing their IP
address there isn't really much they can do, so don't mention that.  It is
obvious enough that if their system isn't doing sending the pings they
will quickly come to that conclusion.)

So "Subject:  123.123.123.123 hacked or malfunctioning".

In the body say you "are giving them a friendly warning that their system
may have been compromised" and very briefly describe the events, your
actions to date, and say "please investigate."  Then paste in your log
extract.

And if you have a special reason to be concerned, phone their corporate
offices (404) 475-0500.  And ask to speak to their manager for network
operations or security.  I would say this is their problem not yours, Jim
is right about that.  It is their system that is malfunctioning or
compromised(or their IP being spoofed).  And it isn't harming your system
or anyone else's ... from what you have seen ... so far.

(If someone wants to do a denial of service attack on you with pings,
you'll get tens of thousands an hour, probably with many different spoofed
source IP addresses.  And if someone wants to hack you, they will try port
after port looking for a weakness.  And if they don't find one you'll
start getting trojans in your email, or your facility will be burgled.)

Good luck.

Keith





More information about the list mailing list