[Dshield] Re: [PERFORMANCE MONITORING INFO]

Henry Hertz Hobbit hhhobbit at comcast.net
Tue Jan 4 17:37:33 GMT 2005


On Tue, 2005-01-04 at 08:48, Internap Research Role Account wrote:
> Site Administrator:
> 
> In an effort to improve Internet performance for our
> customers, Internap conducts performance measurements
> to selected destinations. These destinations are selected
> based on our customers' Internet traffic profiles; if
> destinations on your network have been selected,
> customers of ours are exchanging significant amounts of
> traffic with these destinations. Our efforts are intended
> to benefit both parties.

Message received.

Since my WAN IP address is not mine, but belongs to Comcast,
take it up with them.  I am only responsible for what happens
after the demarcation point and for my own internal network.
I would be amazed if you got anything back with traceroute
type packets though.  I can't get anything to go anywhere
with traceroute.  Comcast or somebody else usually blocks
it.  I suspect it is Comcast since it doesn't even make it
any further than out my WAN port.  It would be ESPECIALLY
useful to have traceroute on some occasions. My WAN address
is in Comcast's 67.161.217.X subnet.

Your response still doesn't answer these entries which do
NOT belong to you which have the same pattern.  There are
others that don't belong to you. I just picked the ones
that occurred when I did NOT have any of my machines
connected to the Internet.  Here are those that I originally
gave to DShield:

LOG FORMAT:     
=========== 
Log values are: 
Date
        protocol     src IP:port     dst port     rule

LOG VALUES:     
=========== 
Dec/31/2004 12:05:01
        UDP     216.52.31.18:10276      33438   Default
Dec/31/2004 12:05:01
        UDP     216.52.31.18:10276      33438   Default
Dec/31/2004 12:05:06
        UDP     216.52.31.18:10276      33438   Default
Dec/31/2004 12:05:11
        UDP     216.52.31.18:10276      33438   Default
Dec/31/2004 12:05:15
        UDP     216.52.31.18:10276      33438   Default
Dec/31/2004 12:05:19
        UDP     216.52.31.18:10276      33438   Default
Dec/31/2004 12:05:24
        UDP     216.52.31.18:10276      33438   Default

You will notice that they are NOT using the default
traceroute port of 33434.  This particular one also
does NOT have a PTR record.

It is interesting that Comcast is having you do this,
but isn't doing anything about stopping some of the
ports that I have identified as something that should
not be passed all over the place (like ports 135-139,
445, 1433-1434, 2745, and 1433-1434).  Until somebody
can give me legitimate reasons for why they should
allow these ports through, they should be closed.  I can
understand some of them (135, 136 for example), and if
people can give me a rational explanation for allowing
the others I will listen.

I have packets on ALL of these ports hitting me with many
coming from outside of Comcast's net.  If they want to
improve their performance, tell them to just drop the
worm ports like hot potatoes on all network devices that
can handle it.  This is not very practical though.  I
have identified 4899, 1026, 1027, 2745, 6129, 1025,
1434, 80 (I have never had a web server providing
external service), 1433, 9898, and 5000 as being the
primary ports in order of frequency used to head
unsolicited packets my way.  The problem is that you
can't close some of those ports without making a lot of
mad customers.  What is amazing to me is that ports 1433
and 1434 have such a high amount of activity. I can only
conclude there are machines out there that are unpatched
that are affected by the Slammer worm or something
similar!  Even more amazing was somebody who has a
direct attachment on Comcast who had their PC sending
out the PCAnywhere broadcast packets!  THEY MUST BE NUTS!
Talk about turn the other cheek.  Shall I slap it? My
answer is of course, NO.

I also occasionally get thousands of UDP Gate Crasher
packets per second (always port 6970) from a single IP.
They never come from the same IP address twice, and the
IP address never has a PTR record.  It is NOT a worm,
... at least I don't think so.  Since they don't have
a PTR record, that should clue you in that they are NOT
coming from Comcast's address space.

You will notice that I said nothing at all about ports
1214, 6346, 6347,  That isn't Comcast's responsibility.
It is MY responsibility, and my firewall WILL drop them
like a hot potato going ANY direction.  I don't want
to have anything to do with the next Internet UDP
storm, and all of those machines running P2P programs
are prime candidates to bring down ALL of the root
DNS servers.

HHH

PS  Please forward this on to Comcast.  They keep
thinking in some sort of old framework of people
hacking in.  The number one security threat now are
Internet worms and viruses that are net enabled and
aware, not somebody hacking in.  Hacking in is passe.
Why hack in when you can have Trojans, Worms, and
Spies do all of it for you without any trace back
to you?

PPS  DShield, just summarize this since it is too
long for everybody.  They just need to know that
this is probably what is going on.






More information about the list mailing list