[Dshield] Ping Problems
ed.truitt at etee2k.net
Mon Nov 4 14:41:14 GMT 2002
Actually, this is likely a "feature" of Internap. They use these pings to
measure Internet performance, as part of their own service guarantees and to
ascertain the best path from Point (a) to Point (b). I have read threads
about this traffic before (maybe not on this list, but somewhere I am sure).
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
----- Original Message -----
From: <keithtarrant at spamcop.net>
To: <list at dshield.org>
Sent: Sunday, November 03, 2002 11:44 PM
Subject: Re: [Dshield] Ping Problems
> Don't worry about him Jim. To some people if it isn't illegal it is okay.
> And some people find implementing and monitoring computer security, new
> people, and the Internet, b o r i n g.
> You're being a good guy letting Internap Network Services know they have
> an Internet related problem, and that is a big part of what DShield is
> You could check the source IP on www.dshield.org and see if anyone else is
> getting pinged or probed by them.
> Either someone is spoofing Internap Network Services IP address, or
> Internap Network Services has a system that is malfunctioning. Either
> way, Internap Network Services should be concerned. (Not to say a
> glorified telephone attendant at Internap Network Services will care, but
> the company and its real IT and admin staff and management will.) -- A
> malfunction is *sometimes* a symptom of having been hacked. I'm sure it
> wasn't designed to ping you. Their entire system may be fully
> compromised. Or it might be a typo on a line of code. Without an
> investigation who knows. So they'll want to check it out.
> You don't say how you contacted them. I'd email both of these separately,
> so they don't assume someone else will take care of it.
> security at internap.com
> abuse at internap.com
> Of course these are from:
> Don't expect 24 hour service on a weekend, especially if your subject line
> doesn't get their attention. From their website they aren't someone in a
> basement with nothing else to do.
> Put your email in terms of their interests: I would mention the
> likelihood that one of their systems has been compromised or is
> malfunctioning in the subject line. (If someone is spoofing their IP
> address there isn't really much they can do, so don't mention that. It is
> obvious enough that if their system isn't doing sending the pings they
> will quickly come to that conclusion.)
> So "Subject: 220.127.116.11 hacked or malfunctioning".
> In the body say you "are giving them a friendly warning that their system
> may have been compromised" and very briefly describe the events, your
> actions to date, and say "please investigate." Then paste in your log
> And if you have a special reason to be concerned, phone their corporate
> offices (404) 475-0500. And ask to speak to their manager for network
> operations or security. I would say this is their problem not yours, Jim
> is right about that. It is their system that is malfunctioning or
> compromised(or their IP being spoofed). And it isn't harming your system
> or anyone else's ... from what you have seen ... so far.
> (If someone wants to do a denial of service attack on you with pings,
> you'll get tens of thousands an hour, probably with many different spoofed
> source IP addresses. And if someone wants to hack you, they will try port
> after port looking for a weakness. And if they don't find one you'll
> start getting trojans in your email, or your facility will be burgled.)
> Good luck.
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list