[Dshield] Re:What is your isp doing

Glenn Jarvis gaj at sympatico.ca
Fri Apr 9 12:56:17 GMT 2004


>
>
>I recently have been receiving certain incoming probes from my ISP, or what
>I think is my ISP, RoadRunner.
>
>Can anyone help me understand this?
>
>Thanks.
>
>
>Steve
>
>
>Here is a sample incase the .txt file doesn’t go through.
>
>
>
>Date      	Time       	Dir	Rem IP Addr    	Remote Name
>R Port	Lcl IP Addr    	L Port
>2004/04/09	00:28:13   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1863  	24.161.228.  	80    
>2004/04/09	00:28:13   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1852  	24.161.228.  	1025  
>2004/04/09	00:28:13   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1857  	24.161.228.  	3127  
>2004/04/09	00:28:13   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1858  	24.161.228.  	6129  
>2004/04/09	00:28:13   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1850  	24.161.228.  	2745  
>2004/04/09	00:28:07   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1863  	24.161.228.  	80    
>2004/04/09	00:28:07   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1852  	24.161.228.  	1025  
>2004/04/09	00:28:07   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1857  	24.161.228.  	3127  
>2004/04/09	00:28:07   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1858  	24.161.228.  	6129  
>2004/04/09	00:28:07   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1850  	24.161.228.  	2745  
>2004/04/09	00:28:04   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1863  	24.161.228.  	80    
>2004/04/09	00:28:04   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1858  	24.161.228.  	6129  
>2004/04/09	00:28:04   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1857  	24.161.228.  	3127  
>2004/04/09	00:28:04   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1852  	24.161.228.  	1025  
>2004/04/09	00:28:04   	I  	24.210.214.179
>dhcp024-210-214-179.woh.rr.com     	1850  	24.161.228.  	2745 
>

I'm no expert, but I have dealt with this quite a bit lately. I receive 
the same thing from various address's within my ISP's block and once I 
asked them about it, I understood (if they were being accurate and I 
can't see why not)...
 From what I have been told, they are other rr.com customers who are 
infected. All I do now is see if I get over a certain amount from the 
same address, then forward the log information to them. They then check 
their end,find out who the customer is, and then notify the customer to 
cleanup their system. So far, my isp has been grateful of the reports I 
have sent them ( I usually send it off to them if the originator reachs 
over 50 entries or so, that way I'm not flooding them with reports).
Anyway, that is my understanding of it, although I'm sure the experts in 
here will probably be much detailed than I am.

HTH
Glenn
(excuse the typos, I'm still on my 1st morning cup of wakeup)




More information about the list mailing list