[Dshield] Road Runner scan

Jon R. Kibler Jon.Kibler at aset.com
Wed Mar 19 21:52:41 GMT 2003


Paul Marsh wrote:
> 
> If I remember correctly a few weeks ago there was post regarding Road Runner scanning networks.  I was just reviewing logs and found this.  24.30.199.228 resolves to securityscan.sec.rr.com  Is this the same scan others are seeing?
> 
> 03/19/2003 12:15:08.944 TCP connection dropped 24.30.199.228, 2049, WAN xxx.xxx.xxx.xxx, 81, LAN Type: 81 21
> 03/19/2003 12:16:13.384 TCP connection dropped 24.30.199.228, 2049, WAN xxx.xxx.xxx.xxx, 1080, LAN 'Socks' 21
> 03/19/2003 12:17:17.864 TCP connection dropped 24.30.199.228, 2049, WAN xxx.xxx.xxx.xxx, 1180, LAN Type: 118 21
> 03/19/2003 12:18:22.240 TCP connection dropped 24.30.199.228, 2049, WAN xxx.xxx.xxx.xxx, 3128, LAN Type: 312 21
> 03/19/2003 12:19:26.608 TCP connection dropped 24.30.199.228, 2049, WAN xxx.xxx.xxx.xxx, 4480, LAN Type: 448 21
> 03/19/2003 12:20:30.944 TCP connection dropped 24.30.199.228, 2049, WAN xxx.xxx.xxx.xxx, 6588, LAN Type: 658 21
> 03/19/2003 12:21:35.432 TCP connection dropped 24.30.199.228, 2049, WAN xxx.xxx.xxx.xxx, 8000, LAN Type: 800 21
> 03/19/2003 12:22:39.784 TCP connection dropped 24.30.199.228, 2049, WAN xxx.xxx.xxx.xxx, 8080, LAN Type: 808 21
> 03/19/2003 12:23:44.288 TCP connection dropped 24.30.199.228, 2049, WAN xxx.xxx.xxx.xxx, 8081, LAN Type: 808 21

Each one of these ports are common proxy server ports. 

Are you a Road Runner customer? If you are, then the scans are easily justified.

If you are not a Road Runner customer, then have you sent mail to RR or had other contact with any of their systems? If the answer is "no", then you need to contact them and find out why you were scanned (INSIST UPON AN ANSWER _AND_ JUSTIFICATION!). If they cannot justify scanning non-customers, you may be able to file a complaint against RR for their activities.

I have real mixed feeling on this topic. I think that an ISP has a responsibility to monitor their customers' for potential violations of the ISP's AUP -- and MANY RR (and other cable/DSL) systems exist only for the purpose of running proxy servers for use by spammers. I also think that you should have the right to ensure that anyone trying to connect to your systems is secure. But I do NOT think that it is OK to scan users for open proxy servers, open mail relays, or other insecure services just on a whim.

My $0.02 worth.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA


> 
> Thanx, Paul
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list