Re: [time] local monitoring

Wed, 03 Oct 2007 09:25:11 -0700 

Thanks everybody, attack on its way... ;-)

I am just kidding of course, but given that you stated you worked for an 
ISP before on this list, it's probably not a good idea to discuss such 
topics in public on the internet especially if it's not your own network 
like it appears to be the case. Or do you own rodents and work for Open Face ? 
;-)

Return-Path: <[EMAIL PROTECTED]>
Received: from zbasel.fortytwo.ch (zbasel.fortytwo.ch [193.138.215.60])
     by master.oc9.com (8.13.7/8.13.7) with ESMTP id l93DYcdZ022947
     for <[EMAIL PROTECTED]>; Wed, 3 Oct 2007 09:34:53 -0400
Received: from zbasel.fortytwo.ch (localhost [127.0.0.1])
     by zbasel.fortytwo.ch (Postfix) with ESMTP id C214D6A78;
     Wed,  3 Oct 2007 15:34:35 +0200 (CEST)
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from Sparkle.Rodents.Montreal.QC.CA (sparkle.rodents.montreal.qc.ca
     [216.46.5.7]) by zbasel.fortytwo.ch (Postfix) with ESMTP id A4721518B
     for <[email protected]>; Wed,  3 Oct 2007 15:34:28 +0200 (CEST)

Openface Inc. OPENFACE-CA (NET-216-46-0-0-1)
                                   216.46.0.0 - 216.46.31.255
The Rodents' Nest RODENTS-BLK2 (NET-216-46-5-0-1)
                                   216.46.5.0 - 216.46.5.15

StateProv:  Quebec
PostalCode: H2W 1T2
Country:    CA

NetRange:   216.46.5.0 - 216.46.5.15
CIDR:       216.46.5.0/28
NetName:    RODENTS-BLK2
NetHandle:  NET-216-46-5-0-1
Parent:     NET-216-46-0-0-1
NetType:    Reassigned
Comment:
RegDate:    1998-10-06
Updated:    1998-10-06

RTechHandle: MOUSE-ARIN
RTechName:   Parker, Mike
RTechPhone:  +1-514-847-3685
RTechEmail:  [EMAIL PROTECTED]

OrgTechHandle: MOUSE-ARIN
OrgTechName:   Parker, Mike
OrgTechPhone:  +1-514-847-3685
OrgTechEmail:  [EMAIL PROTECTED]

OrgName:    Openface Inc.
OrgID:      OPFA
Address:    3445 av du Parc
City:       Montreal
StateProv:  QC
PostalCode: H2X-2H6
Country:    CA

NetRange:   216.46.0.0 - 216.46.31.255
CIDR:       216.46.0.0/19
NetName:    OPENFACE-CA
NetHandle:  NET-216-46-0-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.OPENFACE.CA
NameServer: NS2.OPENFACE.CA
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    1998-08-13
Updated:    2002-02-12

RTechHandle: HM157-ARIN
RTechName:   Hostmaster
RTechPhone:  +1-514-281-8585
RTechEmail:  [EMAIL PROTECTED]

OrgAbuseHandle: NETWO446-ARIN
OrgAbuseName:   Network Abuse
OrgAbusePhone:  +1-514-281-8585
OrgAbuseEmail:  [EMAIL PROTECTED]

OrgNOCHandle: NOC1454-ARIN
OrgNOCName:   Network Operations Centre
OrgNOCPhone:  +1-514-281-8585
OrgNOCEmail:  [EMAIL PROTECTED]

OrgTechHandle: NETWO445-ARIN
OrgTechName:   Network Support
OrgTechPhone:  +1-514-281-8585
OrgTechEmail:  [EMAIL PROTECTED]


traceroute 216.46.5.7
traceroute to 216.46.5.7 (216.46.5.7), 30 hops max, 38 byte packets
ms  25.929 ms
  9  t7-4.mpd01.ymq02.atlas.cogentco.com (154.54.7.58)  32.909 ms  33.134 
ms  34.180 ms
10  openface-internet.demarc.cogentco.com (38.104.154.42)  33.169 ms 
33.758 ms  34.124 ms
11  ve-9.core-03.openface.ca (216.46.0.17)  23.316 ms  24.306 ms  23.652 
ms
12  Stone.Rodents.Montreal.QC.CA (216.46.14.122)  35.237 ms  34.157 ms 
35.063 ms
13  Sparkle.Rodents.Montreal.QC.CA (216.46.5.7)  35.279 ms  34.191 ms 
34.507 ms

traceroute mail.Rodents.Montreal.QC.CA
traceroute to mail.Rodents.Montreal.QC.CA (216.46.5.1), 30 hops max, 38 
byte packets
ms  34.964 ms
10  openface-internet.demarc.cogentco.com (38.104.154.42)  46.406 ms 
33.296 ms  49.170 ms
11  ve-9.core-03.openface.ca (216.46.0.17)  26.247 ms  24.697 ms  25.506 
ms
12  Stone.Rodents.Montreal.QC.CA (216.46.14.122)  36.998 ms  36.252 ms 
33.134 ms
13  Truly-Delicious.Rodents.Montreal.QC.CA (216.46.5.1)  34.722 ms  36.234 
ms  37.068 ms

traceroute ftp.Rodents.Montreal.QC.CA
traceroute to Sparkle.Rodents.Montreal.QC.CA (216.46.5.7), 30 hops max, 38 
byte packets
  9  t7-4.mpd01.ymq02.atlas.cogentco.com (154.54.7.58)  42.570 ms  32.646 
ms  45.385 ms
10  openface-internet.demarc.cogentco.com (38.104.154.42)  32.673 ms 
33.148 ms  32.747 ms
11  ve-9.core-03.openface.ca (216.46.0.17)  23.999 ms  24.350 ms  24.691 
ms
12  Stone.Rodents.Montreal.QC.CA (216.46.14.122)  33.584 ms  35.905 ms 
34.856 ms
13  Sparkle.Rodents.Montreal.QC.CA (216.46.5.7)  34.997 ms  37.777 ms 
35.744 ms

traceroute ntp.Rodents.Montreal.QC.CA
traceroute: Warning: ntp.Rodents.Montreal.QC.CA has multiple addresses; 
using 216.46.5.9
traceroute to Stone.Rodents.Montreal.QC.CA (216.46.5.9), 30 hops max, 38 
byte packets
ms  24.898 ms
  8  t3-3.mpd01.bos01.atlas.cogentco.com (154.54.5.22)  24.715 ms  25.185 
ms  24.668 ms
  9  t7-4.mpd01.ymq02.atlas.cogentco.com (154.54.7.58)  32.974 ms  33.158 
ms  34.851 ms
10  openface-internet.demarc.cogentco.com (38.104.154.42)  32.605 ms 
33.566 ms  34.209 ms
11  ve-9.core-03.openface.ca (216.46.0.17)  23.154 ms  26.511 ms  24.041 
ms
12  Stone.Rodents.Montreal.QC.CA (216.46.5.9)  36.912 ms  35.719 ms 
36.120 ms

nslookup ntp.Rodents.Montreal.QC.CA
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
ntp.Rodents.Montreal.QC.CA      canonical name = 
Stone.Rodents.Montreal.QC.CA.
Name:   Stone.Rodents.Montreal.QC.CA
Address: 216.46.14.122
Name:   Stone.Rodents.Montreal.QC.CA
Address: 216.46.5.9

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
;
; operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; operated by ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
; End of File


>>> NetBIOS is UDP-based, and therefore trivial to spoof.  I wonder how
>>> long it takes before someone tricks you into blackholing your DNS
>>> server or default gateway?
>> Neither of your examples makes sense anyway, since my DNS server is
>> on the house LAN and therefore already blocked anyway - [...] - and
>> blocking my default gateway's address would affect nothing but
>> traffic *from* the gateway machine; it wouldn't touch traffic
>> *through* it.
> If you run similar filtering on your DNS box, it seems possible to
> send packets purporting to be from one of the root DNS servers.

(Well, I don't run filtering *on* the DNS machine, but it is behind the
filtering done by my border router.)  Yes, it is.  It may even have
happened.  It's possible that the automated code has been tricked into
listing one or more of the root servers.  If so, I haven't noticed, so
it hasn't been a practical problem; if it turns into one, I may have to
take some kind of action, such as adding them to the auto-delist test.

> Filtering these packets seems a little over the top---if your network
> is immune why not just ignore them?

(a) belt-and-suspenders; (b) it keeps a significant amount of clutter
out of my logs.  (I know the latter because I have a dialup backup
netlink, and the machine it's on gets a good deal of clutter in its
logs because that netlink is not behind the auto-blocking.  The best
example at the moment is whatever ssh-attacking malware is sending
malformed disconnect messages; it never touches anything behind the
auto-blocks.  Oh, come to think of it, (c) it keeps the attacks from
wasting resources while they fail, such as ssh connections doing kex
eating cpu cycles.)

I'm not so deluded as to think that the setup I now have would
withstand a serious targeted attack by someone competent.  It's
intended to keep the doorknob-twisters from thinking there's anything
worth their while.  (There isn't, but they can be somewhat annoying
while they hammer on me looking for something that isn't there.)

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
  X  Against HTML              [EMAIL PROTECTED]
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers

Reply via email to