So the bastards get away with it :( If go the mac from the connection. It was to a Juniper Networks unit. Too bad there is not a mac/owner cross reference list. Oh well, back to the gridnstone.
------------------------------------------------------------------------------------- From: ab...@blacklotus.net [mailto:ab...@blacklotus.net] Sent: Monday, August 23, 2010 1:13 AM To: Rick Gunderson Subject: Re: [#78277] abuse Our network does not allow outbound UDP from that subnet (208.64.123.0/24). I can assure you the traffic you're seeing is not originating from our AS/network. The traffic is most certainly spoofed and designed to cause your DNS systems to DDoS my network. (See DNS reflection/amplification attack). Basically someone in control of a large botnet is sending DNS queries to various networks with spoofed source address fields to cause response traffic to target our network. I can assure you there is no outbound DNS queries from that address, our network is blocking UDP ingress/egress from that range also. Best regards, On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen <n...@brevardwireless.com>wrote: > Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. > > http://whois.141networks.com/scripts.zip > > > Nick Olsen > Network Operations > (321) 205-1100 x106 > > > > ------------------------------ > *From*: "Ralph" <ralphli...@bsrg.org> > *Sent*: Sunday, August 22, 2010 10:51 PM > > *To*: "WISPA General List" <wireless@wispa.org> > *Subject*: Re: [WISPA] strange firewall connection > > > Works nicely. > > Care to share the script? > > > > Ralph > > Brightlan.net > > > > *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On > Behalf Of *Nick Olsen > *Sent:* Sunday, August 22, 2010 10:37 PM > *To:* WISPA General List > *Subject:* Re: [WISPA] strange firewall connection > > > > Yup, I run mine on a linux box. By default, linux whois hits Arin, Or > RIPE..etc. Then if the org has a private whois server it will hit it. Where > everything else just hits arin and thats it. Notice how it hits both below. > > Running 'whois '208.64.123.177''... > > [Querying whois.arin.net] > [Redirected to rwhois.blacklotus.net:4321] > [Querying rwhois.blacklotus.net] > > > > I have a php script that makes this web-accessible. Anyone that wants to > use it is free to http://whois.141networks.com. However, That is hosted > from my personal residence so be gentle. :D > > //me might move it to the colo here soon though.. > > Nick Olsen > Network Operations > (321) 205-1100 x106 > > > ------------------------------ > > *From*: "RickG" <rgunder...@gmail.com> > *Sent*: Sunday, August 22, 2010 10:28 PM > *To*: n...@brevardwireless.com, "WISPA General List" <wireless@wispa.org> > *Subject*: Re: [WISPA] strange firewall connection > > *interesting. Your results a bit different. who.is says:* > > > > # Query terms are ambiguous. The query is assumed to be: > # "n + *208.64.123.177*" > # > # Use "?" to get help. > # > > # > # The following results may also be obtained via: > # > http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false > > # > > NetRange: 208.64.120.0 - 208.64.127.255 > CIDR: 208.64.120.0/21 > OriginAS: AS32421 > NetName: NET-208-64-120-0-1 > NetHandle: NET-208-64-120-0-1 > Parent: NET-208-0-0-0-0 > NetType: Direct Allocation > NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET > NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET > RegDate: 2005-12-22 > Updated: 2009-11-11 > Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1 > > OrgName: Black Lotus Communications > OrgId: BLC-92 > Address: 3419 Virginia Beach Blvd. #D5 > City: Virginia Beach > StateProv: VA > PostalCode: 23452 > Country: US > RegDate: 2004-04-22 > Updated: 2009-02-12 > Comment: Please route any abuse concerns to > Ref: http://whois.arin.net/rest/org/BLC-92 > > ReferralServer: rwhois://rwhois.blacklotus.net:4321 > > OrgAbuseHandle: NOC1554-ARIN > OrgAbuseName: Network Operations Center > OrgAbusePhone: +1-314-323-3401 > OrgAbuseEmail: > OrgAbuseRef: http://whois.arin.net/rest/poc/NOC1554-ARIN > > OrgTechHandle: NOC1554-ARIN > OrgTechName: Network Operations Center > OrgTechPhone: +1-314-323-3401 > OrgTechEmail: > OrgTechRef: http://whois.arin.net/rest/poc/NOC1554-ARIN > > OrgNOCHandle: NOC1554-ARIN > OrgNOCName: Network Operations Center > OrgNOCPhone: +1-314-323-3401 > OrgNOCEmail: > OrgNOCRef: http://whois.arin.net/rest/poc/NOC1554-ARIN > > RAbuseHandle: NOC1554-ARIN > RAbuseName: Network Operations Center > RAbusePhone: +1-314-323-3401 > RAbuseEmail: > RAbuseRef: http://whois.arin.net/rest/poc/NOC1554-ARIN > > RTechHandle: NOC1554-ARIN > RTechName: Network Operations Center > RTechPhone: +1-314-323-3401 > RTechEmail: > RTechRef: http://whois.arin.net/rest/poc/NOC1554-ARIN > > RNOCHandle: NOC1554-ARIN > RNOCName: Network Operations Center > RNOCPhone: +1-314-323-3401 > RNOCEmail: > RNOCRef: http://whois.arin.net/rest/poc/NOC1554-ARIN > > # > # ARIN WHOIS data and services are subject to the Terms of Use > # available at: https://www.arin.net/whois_tou.html > > On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen <n...@brevardwireless.com> > wrote: > > Using my favorite whois service. One that hits blackloutus's Rwhois > servers, the Org name I get back from them is "Aloli LTD" > > Running 'whois '208.64.123.177''... > > [Querying whois.arin.net] > [Redirected to rwhois.blacklotus.net:4321] > [Querying rwhois.blacklotus.net] > [rwhois.blacklotus.net] > %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois > Server V-1.6.5) > autharea=208.64.120.0/21 > xautharea=208.64.120.0/21 > network:Class-Name:network > network:Auth-Area:208.64.120.0/21 > network:ID:NET-412.208.64.123.176/30 > network:Network-Name:SSL enabled web sites (Mitigation Critical) > network:IP-Network:208.64.123.176/30 > network:IP-Network-Block:208.64.123.176 - 208.64.123.179 > network:Org-Name:Aloli LTD > network:Street-Address:3321 Road Town, Drake Chambers > network:City:Tortola > network:State:- > network:Postal-Code:3321 > network:Country-Code: > network:Tech-Contact:MAINT-412.208.64.123.176/30 > network:Created:20100818161918000 > network:Updated:20100818161918000 > network:Updated-By:supp...@blacklotus.net<network%3aupdated-by%3asupp...@blacklotus.net> > network:POC-Name:Network Operations Center > network:POC-Email:supp...@blacklotus.net<network%3apoc-email%3asupp...@blacklotus.net> > network:POC-Phone:(323) 657-5944 > network:Tech-Name:Network Operations Center > network:Tech-Email:supp...@blacklotus.net<network%3atech-email%3asupp...@blacklotus.net> > network:Tech-Phone:(323) 657-5944 > %ok > > Nick Olsen > Network Operations > (321) 205-1100 x106 > > > ------------------------------ > > *From*: "RickG" <rgunder...@gmail.com> > *Sent*: Sunday, August 22, 2010 9:54 PM > *To*: "WISPA General List" <wireless@wispa.org> > *Subject*: Re: [WISPA] strange firewall connection > > I just sent them an email. Gonna beat on them & their upstream. > > On Sun, Aug 22, 2010 at 9:41 PM, Chuck Hogg <ch...@shelbybb.com> wrote: > > Apparently that ip is being used to attack quite a few people. Paste your > firewall rule here, it may be incorrect. > > > > > > On Sun, Aug 22, 2010 at 7:19 PM, RickG <rgunder...@gmail.com> wrote: > > I'm seeing a ton of connections coming from 208.64.123.177 > (Blacklotus.net) to an IP address in my range (204.62.63.3) which is not > assigned to anything. The strange thing is that when I block it, I lose DNS > on my network. My RB-1000's primary DNS is set for public (4.2.2.2) and my > upstream's (Time Warner - 76.85.228.101). Any thoughts? > > > > *Error! Filename not specified.* > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ >
-------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/