Re: [WISPA] strange firewall connection
Ah, yes, that makes sense. Thanks! On Mon, Aug 23, 2010 at 10:10 AM, Mike Hammett wispawirel...@ics-il.netwrote: The MAC address it would report would be your upstream router. - Mike Hammett Intelligent Computing Solutionshttp://www.ics-il.com On 8/23/2010 1:18 AM, RickG wrote: So the bastards get away with it :( If go the mac from the connection. It was to a Juniper Networks unit. Too bad there is not a mac/owner cross reference list. Oh well, back to the gridnstone. - From: ab...@blacklotus.net [mailto:ab...@blacklotus.net] Sent: Monday, August 23, 2010 1:13 AM To: Rick Gunderson Subject: Re: [#78277] abuse Our network does not allow outbound UDP from that subnet (208.64.123.0/24). I can assure you the traffic you're seeing is not originating from our AS/network. The traffic is most certainly spoofed and designed to cause your DNS systems to DDoS my network. (See DNS reflection/amplification attack). Basically someone in control of a large botnet is sending DNS queries to various networks with spoofed source address fields to cause response traffic to target our network. I can assure you there is no outbound DNS queries from that address, our network is blocking UDP ingress/egress from that range also. Best regards, On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen n...@brevardwireless.comwrote: Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. http://whois.141networks.com/scripts.zip Nick Olsen Network Operations (321) 205-1100 x106 -- *From*: Ralph ralphli...@bsrg.org *Sent*: Sunday, August 22, 2010 10:51 PM *To*: WISPA General List wireless@wispa.org *Subject*: Re: [WISPA] strange firewall connection Works nicely. Care to share the script? Ralph Brightlan.net *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Nick Olsen *Sent:* Sunday, August 22, 2010 10:37 PM *To:* WISPA General List *Subject:* Re: [WISPA] strange firewall connection Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 -- *From*: RickG rgunder...@gmail.com *Sent*: Sunday, August 22, 2010 10:28 PM *To*: n...@brevardwireless.com, WISPA General List wireless@wispa.org *Subject*: Re: [WISPA] strange firewall connection *interesting. Your results a bit different. who.is says:* # Query terms are ambiguous. The query is assumed to be: # n + *208.64.123.177* # # Use ? to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=trueshowARIN=false # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail: OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail: OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail: OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail: RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN
Re: [WISPA] strange firewall connection
So the bastards get away with it :( If go the mac from the connection. It was to a Juniper Networks unit. Too bad there is not a mac/owner cross reference list. Oh well, back to the gridnstone. - From: ab...@blacklotus.net [mailto:ab...@blacklotus.net] Sent: Monday, August 23, 2010 1:13 AM To: Rick Gunderson Subject: Re: [#78277] abuse Our network does not allow outbound UDP from that subnet (208.64.123.0/24). I can assure you the traffic you're seeing is not originating from our AS/network. The traffic is most certainly spoofed and designed to cause your DNS systems to DDoS my network. (See DNS reflection/amplification attack). Basically someone in control of a large botnet is sending DNS queries to various networks with spoofed source address fields to cause response traffic to target our network. I can assure you there is no outbound DNS queries from that address, our network is blocking UDP ingress/egress from that range also. Best regards, On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen n...@brevardwireless.comwrote: Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. http://whois.141networks.com/scripts.zip Nick Olsen Network Operations (321) 205-1100 x106 -- *From*: Ralph ralphli...@bsrg.org *Sent*: Sunday, August 22, 2010 10:51 PM *To*: WISPA General List wireless@wispa.org *Subject*: Re: [WISPA] strange firewall connection Works nicely. Care to share the script? Ralph Brightlan.net *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Nick Olsen *Sent:* Sunday, August 22, 2010 10:37 PM *To:* WISPA General List *Subject:* Re: [WISPA] strange firewall connection Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 -- *From*: RickG rgunder...@gmail.com *Sent*: Sunday, August 22, 2010 10:28 PM *To*: n...@brevardwireless.com, WISPA General List wireless@wispa.org *Subject*: Re: [WISPA] strange firewall connection *interesting. Your results a bit different. who.is says:* # Query terms are ambiguous. The query is assumed to be: # n + *208.64.123.177* # # Use ? to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=trueshowARIN=false # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail: OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail: OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail: OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail: RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN RTechName: Network Operations Center RTechPhone: +1-314-323-3401 RTechEmail: RTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RNOCHandle: NOC1554-ARIN RNOCName: Network Operations Center RNOCPhone: +1-314-323-3401 RNOCEmail: RNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN # # ARIN WHOIS data
Re: [WISPA] strange firewall connection
The MAC address it would report would be your upstream router. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com On 8/23/2010 1:18 AM, RickG wrote: So the bastards get away with it :( If go the mac from the connection. It was to a Juniper Networks unit. Too bad there is not a mac/owner cross reference list. Oh well, back to the gridnstone. - From: ab...@blacklotus.net mailto:ab...@blacklotus.net [mailto:ab...@blacklotus.net mailto:ab...@blacklotus.net] Sent: Monday, August 23, 2010 1:13 AM To: Rick Gunderson Subject: Re: [#78277] abuse Our network does not allow outbound UDP from that subnet (208.64.123.0/24 http://208.64.123.0/24). I can assure you the traffic you're seeing is not originating from our AS/network. The traffic is most certainly spoofed and designed to cause your DNS systems to DDoS my network. (See DNS reflection/amplification attack). Basically someone in control of a large botnet is sending DNS queries to various networks with spoofed source address fields to cause response traffic to target our network. I can assure you there is no outbound DNS queries from that address, our network is blocking UDP ingress/egress from that range also. Best regards, On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen n...@brevardwireless.com mailto:n...@brevardwireless.com wrote: Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. http://whois.141networks.com/scripts.zip Nick Olsen Network Operations (321) 205-1100 x106 *From*: Ralph ralphli...@bsrg.org mailto:ralphli...@bsrg.org *Sent*: Sunday, August 22, 2010 10:51 PM *To*: WISPA General List wireless@wispa.org mailto:wireless@wispa.org *Subject*: Re: [WISPA] strange firewall connection Works nicely. Care to share the script? Ralph Brightlan.net *From:* wireless-boun...@wispa.org mailto:wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org mailto:wireless-boun...@wispa.org] *On Behalf Of *Nick Olsen *Sent:* Sunday, August 22, 2010 10:37 PM *To:* WISPA General List *Subject:* Re: [WISPA] strange firewall connection Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net http://whois.arin.net] [Redirected to rwhois.blacklotus.net:4321 http://rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net http://rwhois.blacklotus.net] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 *From*: RickG rgunder...@gmail.com mailto:rgunder...@gmail.com *Sent*: Sunday, August 22, 2010 10:28 PM *To*: n...@brevardwireless.com mailto:n...@brevardwireless.com, WISPA General List wireless@wispa.org mailto:wireless@wispa.org *Subject*: Re: [WISPA] strange firewall connection /interesting. Your results a bit different. who.is http://who.is says:/ # Query terms are ambiguous. The query is assumed to be: # n + *208.64.123.177* # # Use ? to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=trueshowARIN=false http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=trueshowARIN=false # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 http://208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET http://NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET http://NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to Ref: http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois
Re: [WISPA] strange firewall connection
Using my favorite whois service. One that hits blackloutus's Rwhois servers, the Org name I get back from them is Aloli LTD Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.6.5) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-412.208.64.123.176/30 network:Network-Name:SSL enabled web sites (Mitigation Critical) network:IP-Network:208.64.123.176/30 network:IP-Network-Block:208.64.123.176 - 208.64.123.179 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code: network:Tech-Contact:MAINT-412.208.64.123.176/30 network:Created:20100818161918000 network:Updated:20100818161918000 network:Updated-By:supp...@blacklotus.net network:POC-Name:Network Operations Center network:POC-Email:supp...@blacklotus.net network:POC-Phone:(323) 657-5944 network:Tech-Name:Network Operations Center network:Tech-Email:supp...@blacklotus.net network:Tech-Phone:(323) 657-5944 %ok Nick Olsen Network Operations (321) 205-1100 x106 From: RickG rgunder...@gmail.com Sent: Sunday, August 22, 2010 9:54 PM To: WISPA General List wireless@wispa.org Subject: Re: [WISPA] strange firewall connection I just sent them an email. Gonna beat on them their upstream. On Sun, Aug 22, 2010 at 9:41 PM, Chuck Hogg ch...@shelbybb.com wrote: Apparently that ip is being used to attack quite a few people. Paste your firewall rule here, it may be incorrect. On Sun, Aug 22, 2010 at 7:19 PM, RickG rgunder...@gmail.com wrote: I'm seeing a ton of connections coming from 208.64.123.177 (Blacklotus.net) to an IP address in my range (204.62.63.3) which is not assigned to anything. The strange thing is that when I block it, I lose DNS on my network. My RB-1000's primary DNS is set for public (4.2.2.2) and my upstream's (Time Warner - 76.85.228.101). Any thoughts? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] strange firewall connection
*interesting. Your results a bit different. who.is says:* * * *# Query terms are ambiguous. The query is assumed to be: # n + 208.64.123.177 # # Use ? to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=trueshowARIN=false # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail: OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail: OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail: OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail: RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN RTechName: Network Operations Center RTechPhone: +1-314-323-3401 RTechEmail: RTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RNOCHandle: NOC1554-ARIN RNOCName: Network Operations Center RNOCPhone: +1-314-323-3401 RNOCEmail: RNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html * On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen n...@brevardwireless.comwrote: Using my favorite whois service. One that hits blackloutus's Rwhois servers, the Org name I get back from them is Aloli LTD Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.6.5) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-412.208.64.123.176/30 network:Network-Name:SSL enabled web sites (Mitigation Critical) network:IP-Network:208.64.123.176/30 network:IP-Network-Block:208.64.123.176 - 208.64.123.179 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code: network:Tech-Contact:MAINT-412.208.64.123.176/30 network:Created:20100818161918000 network:Updated:20100818161918000 network:Updated-By:supp...@blacklotus.netnetwork%3aupdated-by%3asupp...@blacklotus.net network:POC-Name:Network Operations Center network:POC-Email:supp...@blacklotus.netnetwork%3apoc-email%3asupp...@blacklotus.net network:POC-Phone:(323) 657-5944 network:Tech-Name:Network Operations Center network:Tech-Email:supp...@blacklotus.netnetwork%3atech-email%3asupp...@blacklotus.net network:Tech-Phone:(323) 657-5944 %ok Nick Olsen Network Operations (321) 205-1100 x106 -- *From*: RickG rgunder...@gmail.com *Sent*: Sunday, August 22, 2010 9:54 PM *To*: WISPA General List wireless@wispa.org *Subject*: Re: [WISPA] strange firewall connection I just sent them an email. Gonna beat on them their upstream. On Sun, Aug 22, 2010 at 9:41 PM, Chuck Hogg ch...@shelbybb.com wrote: Apparently that ip is being used to attack quite a few people. Paste your firewall rule here, it may be incorrect. On Sun, Aug 22, 2010 at 7:19 PM, RickG rgunder...@gmail.com wrote: I'm seeing a ton of connections coming from 208.64.123.177 (Blacklotus.net) to an IP address in my range (204.62.63.3) which is not assigned to anything. The strange thing is that when I block it, I lose DNS on my network. My RB-1000's primary DNS is set for public (4.2.2.2) and my upstream's (Time Warner - 76.85.228.101). Any thoughts? [image: Image1.jpg] WISPA Wants You! Join today! http://signup.wispa.org/ WISPA
Re: [WISPA] strange firewall connection
Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 From: RickG rgunder...@gmail.com Sent: Sunday, August 22, 2010 10:28 PM To: n...@brevardwireless.com, WISPA General List wireless@wispa.org Subject: Re: [WISPA] strange firewall connection interesting. Your results a bit different. who.is says: # Query terms are ambiguous. The query is assumed to be: # n + 208.64.123.177 # # Use ? to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=trueshowARIN=f alse # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail: OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail: OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail: OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail: RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN RTechName: Network Operations Center RTechPhone: +1-314-323-3401 RTechEmail: RTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RNOCHandle: NOC1554-ARIN RNOCName: Network Operations Center RNOCPhone: +1-314-323-3401 RNOCEmail: RNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen n...@brevardwireless.com wrote: Using my favorite whois service. One that hits blackloutus's Rwhois servers, the Org name I get back from them is Aloli LTD Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.6.5) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-412.208.64.123.176/30 network:Network-Name:SSL enabled web sites (Mitigation Critical) network:IP-Network:208.64.123.176/30 network:IP-Network-Block:208.64.123.176 - 208.64.123.179 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code: network:Tech-Contact:MAINT-412.208.64.123.176/30 network:Created:20100818161918000 network:Updated:20100818161918000 network:Updated-By:supp...@blacklotus.net network:POC-Name:Network Operations Center network:POC-Email:supp...@blacklotus.net network:POC-Phone:(323) 657-5944 network:Tech-Name:Network Operations Center network:Tech-Email:supp...@blacklotus.net network:Tech-Phone:(323) 657-5944 %ok Nick Olsen Network Operations (321) 205-1100 x106 From: RickG rgunder...@gmail.com Sent: Sunday, August 22, 2010 9:54 PM To: WISPA General List wireless@wispa.org Subject: Re: [WISPA] strange firewall connection I just sent them an email. Gonna beat on them their upstream. On Sun, Aug 22, 2010 at 9:41 PM
Re: [WISPA] strange firewall connection
Works nicely. Care to share the script? Ralph Brightlan.net From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Nick Olsen Sent: Sunday, August 22, 2010 10:37 PM To: WISPA General List Subject: Re: [WISPA] strange firewall connection Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 http://www.brevardwireless.com/files/email.gif _ From: RickG rgunder...@gmail.com Sent: Sunday, August 22, 2010 10:28 PM To: n...@brevardwireless.com, WISPA General List wireless@wispa.org Subject: Re: [WISPA] strange firewall connection interesting. Your results a bit different. who.is says: # Query terms are ambiguous. The query is assumed to be: # n + 208.64.123.177 # # Use ? to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=trueshowARIN= false showARIN=false # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to http://who.is/email.php?domain=208.64.123.177email=0 Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail:http://who.is/email.php?domain=208.64.123.177email=1 OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail:http://who.is/email.php?domain=208.64.123.177email=2 OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail:http://who.is/email.php?domain=208.64.123.177email=3 OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail:http://who.is/email.php?domain=208.64.123.177email=4 RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN RTechName: Network Operations Center RTechPhone: +1-314-323-3401 RTechEmail:http://who.is/email.php?domain=208.64.123.177email=5 RTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RNOCHandle: NOC1554-ARIN RNOCName: Network Operations Center RNOCPhone: +1-314-323-3401 RNOCEmail:http://who.is/email.php?domain=208.64.123.177email=6 RNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen n...@brevardwireless.com wrote: Using my favorite whois service. One that hits blackloutus's Rwhois servers, the Org name I get back from them is Aloli LTD Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.6.5) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-412.208.64.123.176/30 network:Network-Name:SSL enabled web sites (Mitigation Critical) network:IP-Network:208.64.123.176/30 network:IP-Network-Block:208.64.123.176 - 208.64.123.179 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code
Re: [WISPA] strange firewall connection
Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. http://whois.141networks.com/scripts.zip Nick Olsen Network Operations (321) 205-1100 x106 From: Ralph ralphli...@bsrg.org Sent: Sunday, August 22, 2010 10:51 PM To: WISPA General List wireless@wispa.org Subject: Re: [WISPA] strange firewall connection Works nicely. Care to share the script? Ralph Brightlan.net From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Nick Olsen Sent: Sunday, August 22, 2010 10:37 PM To: WISPA General List Subject: Re: [WISPA] strange firewall connection Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 From: RickG rgunder...@gmail.com Sent: Sunday, August 22, 2010 10:28 PM To: n...@brevardwireless.com, WISPA General List wireless@wispa.org Subject: Re: [WISPA] strange firewall connection interesting. Your results a bit different. who.is says: # Query terms are ambiguous. The query is assumed to be: # n + 208.64.123.177 # # Use ? to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=trueshowARIN=f alse # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail: OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail: OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail: OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail: RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN RTechName: Network Operations Center RTechPhone: +1-314-323-3401 RTechEmail: RTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RNOCHandle: NOC1554-ARIN RNOCName: Network Operations Center RNOCPhone: +1-314-323-3401 RNOCEmail: RNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen n...@brevardwireless.com wrote: Using my favorite whois service. One that hits blackloutus's Rwhois servers, the Org name I get back from them is Aloli LTD Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.6.5) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-412.208.64.123.176/30 network:Network-Name:SSL enabled web sites (Mitigation Critical) network:IP-Network:208.64.123.176/30 network:IP-Network-Block:208.64.123.176 - 208.64.123.179 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code: network:Tech-Contact:MAINT-412.208.64.123.176/30 network:Created:20100818161918000 network:Updated:20100818161918000