[Dshield] F5 3DNS/Coldwater Creek

millerbn millerbn at chiba.dhs.org
Sun Oct 13 15:03:06 GMT 2002


I know the F5 3DNS products are supposed to establish their metrics through udp port 
53 probes. I know that Microsoft uses them and scans for hours. So far it all seems pretty 
reasonable, now enter Coldwater Creek Inc into the picture. Currently on the second week 
(that's right two WEEKS) of their port 53 probes, on a daily basis. Our ip space is small (4 
total) with a handfull of users, none remember surfing to their site. Outbound logs even 
corroborate this as in two months only my visit to their site is logged; I was curious to see 
just what they are. A polite but firm message to their technical contact (listed in arin) gets 
me a reply, too bad it's a brochure about F5 products. Real helpful, huh? Never expected 
a reply from Sprint or AT&T (their upstream providers) so I'm not surprised there. Missed it 
before but there is a port 80 probe from one of their subnets, since it was the same day I 
emailed their technical contact I'll assume it's him wanting to see our website and not a 
code red or whatever. No public website anyway, so it's a moot point. Have yet to hear 
from him about my reply to his 'explanation' (read F5 brochure), but since it's the weekend - 
I can be patient. Just thought I'd be proactive and see what the list thought of this. With the 
amount of time involved I'd hate to think I'm over-reacting but I guess it's possible. I had 
assumed that patience would prevail and the probes would taper off, doesn't look that way. 
Looks like the ip addresses in question have a number of records in the db with a substantial 
amount of unique targets. Either no fightback sent or no reply received, though I didn't check 
all of them.

Comments, suggestions welcome.

Example logs (previously submitted to the dshield db) that have been trimmed for brevity and 
partially obfuscated just because...to clarify on the trim job; average of three packets per 
instance reduced to the first only.

UTC-5

2002-10-02 22:56:58.663865 204.120.131.30	26869	65.187.137.XXX	53	UDP
2002-10-02 22:57:04.008388 12.32.40.30	34142	65.187.137.XXX	53	UDP
2002-10-02 22:57:11.039172 12.32.39.7	59628	65.187.137.XXX	53	UDP
2002-10-03 08:24:38.417368 12.32.39.30	45978	65.187.137.XXX	53	UDP
2002-10-03 08:24:46.427529 12.32.40.7	7017	65.187.137.XXX	53	UDP
2002-10-03 08:26:12.065871 204.120.131.30	29782	65.187.137.XXX	53	UDP
2002-10-03 17:23:48.617494 12.32.40.30	38921	65.187.137.XXX	53	UDP
2002-10-03 17:23:49.589698 12.32.39.7	63958	65.187.137.XXX	53	UDP
2002-10-03 17:24:56.128916 204.120.131.6	38477	65.187.137.XXX	53	UDP
2002-10-04 02:50:08.450263 12.32.39.6	51775	65.187.137.XXX	53	UDP
2002-10-04 02:50:24.936689 12.32.40.30	41011	65.187.137.XXX	53	UDP
2002-10-04 02:51:22.853118 204.120.131.6	39383	65.187.137.XXX	53	UDP
2002-10-04 12:16:58.809568 12.32.39.7	4522	65.187.137.XXX	53	UDP
2002-10-04 12:17:08.352278 12.32.40.30	43315	65.187.137.XXX	53	UDP
2002-10-04 12:51:33.062801 204.120.131.5	33374	65.187.137.XXX	53	UDP
2002-10-04 21:38:12.769819 12.32.39.30	52535	65.187.137.XXX	53	UDP
2002-10-04 21:38:28.452537 12.32.40.30	45583	65.187.137.XXX	53	UDP
2002-10-04 22:14:22.379031 204.120.131.7	35975	65.187.137.XXX	53	UDP
2002-10-05 07:24:24.139526 12.32.40.30	47606	65.187.137.XXX	53	UDP
2002-10-05 07:26:52.963525 12.32.39.7	8205	65.187.137.XXX	53	UDP
2002-10-05 07:57:05.909519 204.120.131.30	44014	65.187.137.XXX	53	UDP
2002-10-05 16:58:20.815055 12.32.40.6	44553	65.187.137.XXX	53	UDP
2002-10-05 16:58:22.686455 12.32.39.30	55703	65.187.137.XXX	53	UDP
2002-10-05 17:32:16.604266 204.120.131.30	46555	65.187.137.XXX	53	UDP
2002-10-06 02:28:34.157299 12.32.39.7	11558	65.187.137.XXX	53	UDP
2002-10-06 02:34:55.142108 12.32.40.7	17172	65.187.137.XXX	53	UDP
2002-10-06 03:03:12.204398 204.120.131.30	48979	65.187.137.XXX	53	UDP
2002-10-06 12:04:56.927717 12.32.39.7	13083	65.187.137.XXX	53	UDP
2002-10-06 12:11:04.723204 12.32.40.7	18583	65.187.137.XXX	53	UDP
2002-10-06 12:35:52.492316 204.120.131.30	51434	65.187.137.XXX	53	UDP
2002-10-06 21:32:13.479465 12.32.39.30	60293	65.187.137.XXX	53	UDP
2002-10-06 21:38:40.344172 12.32.40.7	19991	65.187.137.XXX	53	UDP
2002-10-06 22:04:54.688497 204.120.131.7	40301	65.187.137.XXX	53	UDP
2002-10-07 07:01:23.722234 12.32.39.30	61836	65.187.137.XXX	53	UDP
2002-10-07 07:08:16.049976 12.32.40.7	21447	65.187.137.XXX	53	UDP
2002-10-07 08:05:02.813168 204.120.131.30	56529	65.187.137.XXX	53	UDP
2002-10-07 23:16:45.565022 12.32.39.6	3004	65.187.137.XXX	53	UDP
2002-10-07 23:59:04.268647 204.120.131.5	3063	65.187.137.XXX	53	UDP
2002-10-08 00:10:27.077316 12.32.40.6	2924	65.187.137.XXX	53	UDP
2002-10-08 18:14:08.019909 12.32.39.7	6698	65.187.137.XXX	53	UDP
2002-10-08 20:07:35.234820 12.32.40.7	6541	65.187.137.XXX	53	UDP
2002-10-08 20:29:03.879986 204.120.131.30	9208	65.187.137.XXX	53	UDP
2002-10-09 03:43:11.782774 12.32.39.7	8456	65.187.137.XXX	53	UDP
2002-10-09 05:37:26.634325 12.32.40.30	9699	65.187.137.XXX	53	UDP
2002-10-09 05:57:47.902673 204.120.131.30	11926	65.187.137.XXX	53	UDP
2002-10-09 13:10:27.815170 12.32.39.30	10835	65.187.137.XXX	53	UDP
2002-10-09 15:03:11.493538 12.32.40.30	12147	65.187.137.XXX	53	UDP
2002-10-09 15:22:47.417784 204.120.131.7	46449	65.187.137.XXX	53	UDP
2002-10-09 22:19:36.984584 12.32.39.30	12878	65.187.137.XXX	53	UDP
2002-10-10 17:32:01.741964 12.32.39.6	16473	65.187.137.XXX	53	UDP
2002-10-10 19:25:53.152651 12.32.40.30	19384	65.187.137.XXX	53	UDP
2002-10-10 19:44:46.386897 204.120.131.30	24094	65.187.137.XXX	53	UDP
2002-10-11 02:59:21.117170 12.32.39.30	19050	65.187.137.XXX	53	UDP
2002-10-11 04:54:05.922587 12.32.40.6	16353	65.187.137.XXX	53	UDP
2002-10-11 05:10:48.201544 204.120.131.6	62472	65.187.137.XXX	53	UDP
2002-10-11 12:27:36.717484 12.32.39.7	20126	65.187.137.XXX	53	UDP
2002-10-11 14:15:29.517759 12.32.40.30	24505	65.187.137.XXX	53	UDP
2002-10-11 14:34:39.024091 204.120.131.30	30578	65.187.137.XXX	53	UDP
2002-10-11 16:04:44.487376 204.120.131.254	57303	65.187.137.XXX	80	TCP	S
2002-10-11 16:04:47.418478 204.120.131.254	57303	65.187.137.XXX	80	TCP	S
2002-10-11 16:04:53.429669 204.120.131.254	57303	65.187.137.XXX	80	TCP	S
2002-10-11 21:50:23.982705 12.32.39.30	23671	65.187.137.XXX	53	UDP
2002-10-11 23:42:05.592662 12.32.40.7	20773	65.187.137.XXX	53	UDP
2002-10-12 00:02:08.951260 204.120.131.7	52367	65.187.137.XXX	53	UDP
2002-10-12 07:22:54.512127 12.32.39.6	24731	65.187.137.XXX	53	UDP
2002-10-12 09:13:18.583088 12.32.40.30	29463	65.187.137.XXX	53	UDP
2002-10-12 09:32:47.370429 204.120.131.6	2584	65.187.137.XXX	53	UDP
2002-10-12 18:51:32.738393 12.32.40.6	23404	65.187.137.XXX	53	UDP
2002-10-12 19:09:18.972384 204.120.131.30	39996	65.187.137.XXX	53	UDP
2002-10-13 03:16:03.115835 12.32.39.6	28756	65.187.137.XXX	53	UDP




More information about the list mailing list