[Dshield] *.blue.aol.com

Laura Vance vancel at winfreeacademy.com
Thu Oct 28 14:30:41 GMT 2004

There are several people on the network using AIM, but the strange thing 
was that after I examined all of the daily reports emailed from DShield, 
I saw that it only happened on 20th, 21st, and 22nd.  I'm also guessing 
that since I don't send hostnames in on my reports that DShield does a 
DNS lookup on the IP addresses, so at that point DNS spoofing is not a 
concern.  The thing that's weird is that it seemed to be 3 entire class 
C networks that were participating in this port scan.

The IP ranges were: (for simplicity patterns below are perl regex style)
152.163.208.* (wads-r\d\dc.blue.aol.com)
205.188.165.* (wads-d\d\db.blue.aol.com)
64.12.174.* (wads-m\d\d[ca].blue.aol.com)

They were all doing port scans, so there wasn't a focused attack on a 
specific port.

Johannes B. Ullrich wrote:

>Are you using AOL instant messenger? Or maybe a dynamic IP address?
>I think *.blue.aol.com are the AOL IM servers.
>On Tue, 2004-10-26 at 19:48, Laura Vance wrote:
>>For the past couple of weeks, every few days I get a bombardment of 
>>packets submitted to DShield from *.blue.aol.com.
>>On the 22nd, the number of packets total was 45688, when my typical 
>>submission is about 3000 packets.
>>Has anyone else seen traffic like this from that network?
>>DShield and the Internet Storm Center are sponsored by the SANS Institute.
>>To learn more about current SANS training, see http://www.sans.org .
>>send all posts to list at lists.dshield.org
>>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Laura Vance
Systems Engineer
Winfree Academy Charter Schools
6221 Riverside Dr. Suite 110
Irving, Tx  75039
Web: www.winfreeacademy.com

More information about the list mailing list