[Dshield] Road Runner is looking out for it's customers for change

John Sage jsage at finchhaven.com
Thu Aug 14 18:15:29 GMT 2003


umm..

On Thu, Aug 14, 2003 at 10:30:37AM -0700, walter woodrow wrote:
> 
> Today, I noticed that outside traffic on port 135 stopped.  But I
still see internal traffic on the RR network.  I guess the blocking of
port 135 is only for traffic outside the RR network?  These are IP
that were captured by my linksys router trying to enter on port 135.
> 
>  
> 
> IP                     Attempts 
> 
> 24.27.72.97             13
> 24.27.72.135           9
> 24.27.68.210           9
> 24.27.77.159           7
> 24.27.78.94             7
> 24.27.78.97             5
> 24.27.77.72             5
> 24.27.67.40             4
> 24.27.69.70             2
> 24.27.67.186           2
> 24.27.72.6              2
> 24.27.74.206           2

<snippage> 

This is fairly much the way it works.

I'll let others go into the specifics of what percentage are sent out
to your local /24 as opposed to being sent out into the IP address
space in general, but I'm not sure this proves Road Runner is doing
anything at all..

For example, here's what I see (I'm at 12.82.x.x as a dialup into
AT&T's Seattle WA POP):

[jsage at sparky /storage/snorts] $ grep -c msblast
   alert.full-Aug.13.18\:26
   2618

So, 2,618 hits on the snort alert "msblast exploit" within one alert
file.

And here's only *one* screenful that shows the source IP's from that
same alert file:

08/12/03-18:47:20.919279 12.82.167.70:1874 -> 12.82.157.216:4444
08/12/03-18:47:23.139502 12.82.168.212:1551 -> 12.82.157.216:4444
08/12/03-18:49:47.614228 12.82.163.226:4621 -> 12.82.157.216:4444
08/12/03-18:49:51.554642 12.82.166.25:3797 -> 12.82.157.216:4444
08/12/03-18:49:59.445451 12.82.166.223:3444 -> 12.82.157.216:4444
08/12/03-18:50:08.266369 12.82.167.238:2884 -> 12.82.157.216:4444
08/12/03-18:50:09.136445 12.82.163.226:4621 -> 12.82.157.216:4444
08/12/03-18:52:03.068035 12.82.160.93:1246 -> 12.82.157.216:4444
08/12/03-18:52:03.128051 12.82.168.165:2675 -> 12.82.157.216:4444
08/12/03-18:52:04.238167 12.82.168.237:2929 -> 12.82.157.216:4444
08/12/03-18:52:23.570127 12.82.168.165:2675 -> 12.82.157.216:4444
08/12/03-18:52:24.530245 12.82.160.93:1246 -> 12.82.157.216:4444
08/12/03-18:55:13.267457 12.82.171.70:1319 -> 12.82.157.216:4444
08/12/03-18:55:28.228983 12.82.169.187:4861 -> 12.82.157.216:4444
08/12/03-18:55:37.919972 12.82.171.37:1278 -> 12.82.157.216:4444
08/12/03-18:55:41.220305 12.82.154.107:2736 -> 12.82.157.216:4444
08/12/03-18:55:46.210795 12.82.144.48:4221 -> 12.82.157.216:4444
08/12/03-18:55:55.211917 12.82.147.45:4346 -> 12.82.157.216:4444
08/12/03-18:56:16.753904 12.82.131.130:3170 -> 12.82.157.216:4444
08/12/03-18:56:35.465822 12.82.146.103:3590 -> 12.82.157.216:4444
08/12/03-19:27:45.656582 12.82.163.111:3896 -> 12.82.157.216:4444
08/12/03-19:27:55.867623 12.82.164.238:2683 -> 12.82.157.216:4444
08/12/03-19:28:05.368589 12.82.163.111:3896 -> 12.82.157.216:4444
08/12/03-19:28:06.098661 12.82.164.78:3227 -> 12.82.157.216:4444
08/12/03-19:28:35.841699 12.82.164.183:3274 -> 12.82.157.216:4444
08/12/03-19:28:48.433006 12.82.165.95:3075 -> 12.82.157.216:4444
08/12/03-19:33:14.910267 12.82.164.25:4486 -> 12.82.157.216:4444
08/12/03-19:33:15.380259 12.82.168.43:1888 -> 12.82.157.216:4444
08/12/03-19:33:15.690267 12.82.168.43:1888 -> 12.82.157.216:4444
08/12/03-19:33:15.710285 12.82.164.25:4486 -> 12.82.157.216:4444
08/12/03-19:33:36.332367 12.82.164.25:4486 -> 12.82.157.216:4444
08/12/03-19:33:36.802395 12.82.168.43:1888 -> 12.82.157.216:4444
08/12/03-19:36:47.681884 12.82.156.12:4479 -> 12.82.157.216:4444
<snip>



- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list