[Dshield] Ping Problems

Jim Gifford maillist at jg555.com
Mon Nov 4 23:17:51 GMT 2002


I checked, numerous people have reported them. I received this from them on
10/28/02

"However we are very mindful that this might cause some disruption and we
have excluded the following addresses submitted from further performance
monitoring.

This change will take effect within the next 24 hours. If there are any
other destinations you administer that you wish to exclude please provide
us with the explicit IP address for each such server."

----- Original Message -----
From: <keithtarrant at spamcop.net>
To: <list at dshield.org>
Sent: Sunday, November 03, 2002 9:44 PM
Subject: Re: [Dshield] Ping Problems


> Don't worry about him Jim.  To some people if it isn't illegal it is okay.
> And some people find implementing and monitoring computer security, new
> people, and the Internet, b o r i n g.
>
> You're being a good guy letting Internap Network Services know they have
> an Internet related problem, and that is a big part of what DShield is
> about.
>
> You could check the source IP on www.dshield.org and see if anyone else is
> getting pinged or probed by them.
>
> Either someone is spoofing Internap Network Services IP address, or
> Internap Network Services has a system that is malfunctioning.  Either
> way, Internap Network Services should be concerned.  (Not to say a
> glorified telephone attendant at Internap Network Services will care, but
> the company and its real IT and admin staff and management will.)  -- A
> malfunction is *sometimes* a symptom of having been hacked.  I'm sure it
> wasn't designed to ping you.  Their entire system may be fully
> compromised.  Or it might be a typo on a line of code.  Without an
> investigation who knows.  So they'll want to check it out.
>
> You don't say how you contacted them.  I'd email both of these separately,
> so they don't assume someone else will take care of it.
> security at internap.com
> abuse at internap.com
> Of course these are from:
> http://www.internap.com/contact/index.html
> Don't expect 24 hour service on a weekend, especially if your subject line
> doesn't get their attention.  From their website they aren't someone in a
> basement with nothing else to do.
>
> Put your email in terms of their interests:  I would mention the
> likelihood that one of their systems has been compromised or is
> malfunctioning in the subject line.  (If someone is spoofing their IP
> address there isn't really much they can do, so don't mention that.  It is
> obvious enough that if their system isn't doing sending the pings they
> will quickly come to that conclusion.)
>
> So "Subject:  123.123.123.123 hacked or malfunctioning".
>
> In the body say you "are giving them a friendly warning that their system
> may have been compromised" and very briefly describe the events, your
> actions to date, and say "please investigate."  Then paste in your log
> extract.
>
> And if you have a special reason to be concerned, phone their corporate
> offices (404) 475-0500.  And ask to speak to their manager for network
> operations or security.  I would say this is their problem not yours, Jim
> is right about that.  It is their system that is malfunctioning or
> compromised(or their IP being spoofed).  And it isn't harming your system
> or anyone else's ... from what you have seen ... so far.
>
> (If someone wants to do a denial of service attack on you with pings,
> you'll get tens of thousands an hour, probably with many different spoofed
> source IP addresses.  And if someone wants to hack you, they will try port
> after port looking for a weakness.  And if they don't find one you'll
> start getting trojans in your email, or your facility will be burgled.)
>
> Good luck.
>
> Keith
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>
>




More information about the list mailing list