[Dshield] Ping Problems

Ed Truitt ed.truitt at etee2k.net
Mon Nov 4 14:41:14 GMT 2002


Actually, this is likely  a "feature" of Internap.  They use these pings to
measure Internet performance, as part of their own service guarantees and to
ascertain the best path from Point (a) to Point (b).  I have read threads
about this traffic before (maybe not on this list, but somewhere I am sure).

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: <keithtarrant at spamcop.net>
To: <list at dshield.org>
Sent: Sunday, November 03, 2002 11:44 PM
Subject: Re: [Dshield] Ping Problems


> Don't worry about him Jim.  To some people if it isn't illegal it is okay.
> And some people find implementing and monitoring computer security, new
> people, and the Internet, b o r i n g.
>
> You're being a good guy letting Internap Network Services know they have
> an Internet related problem, and that is a big part of what DShield is
> about.
>
> You could check the source IP on www.dshield.org and see if anyone else is
> getting pinged or probed by them.
>
> Either someone is spoofing Internap Network Services IP address, or
> Internap Network Services has a system that is malfunctioning.  Either
> way, Internap Network Services should be concerned.  (Not to say a
> glorified telephone attendant at Internap Network Services will care, but
> the company and its real IT and admin staff and management will.)  -- A
> malfunction is *sometimes* a symptom of having been hacked.  I'm sure it
> wasn't designed to ping you.  Their entire system may be fully
> compromised.  Or it might be a typo on a line of code.  Without an
> investigation who knows.  So they'll want to check it out.
>
> You don't say how you contacted them.  I'd email both of these separately,
> so they don't assume someone else will take care of it.
> security at internap.com
> abuse at internap.com
> Of course these are from:
> http://www.internap.com/contact/index.html
> Don't expect 24 hour service on a weekend, especially if your subject line
> doesn't get their attention.  From their website they aren't someone in a
> basement with nothing else to do.
>
> Put your email in terms of their interests:  I would mention the
> likelihood that one of their systems has been compromised or is
> malfunctioning in the subject line.  (If someone is spoofing their IP
> address there isn't really much they can do, so don't mention that.  It is
> obvious enough that if their system isn't doing sending the pings they
> will quickly come to that conclusion.)
>
> So "Subject:  123.123.123.123 hacked or malfunctioning".
>
> In the body say you "are giving them a friendly warning that their system
> may have been compromised" and very briefly describe the events, your
> actions to date, and say "please investigate."  Then paste in your log
> extract.
>
> And if you have a special reason to be concerned, phone their corporate
> offices (404) 475-0500.  And ask to speak to their manager for network
> operations or security.  I would say this is their problem not yours, Jim
> is right about that.  It is their system that is malfunctioning or
> compromised(or their IP being spoofed).  And it isn't harming your system
> or anyone else's ... from what you have seen ... so far.
>
> (If someone wants to do a denial of service attack on you with pings,
> you'll get tens of thousands an hour, probably with many different spoofed
> source IP addresses.  And if someone wants to hack you, they will try port
> after port looking for a weakness.  And if they don't find one you'll
> start getting trojans in your email, or your facility will be burgled.)
>
> Good luck.
>
> Keith
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list