The MAC address it would report would be your upstream router.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
On 8/23/2010 1:18 AM, RickG wrote:
So the bastards get away with it :(
If go the mac from the connection. It was to a Juniper Networks unit.
Too bad there is not a mac/owner cross reference list.
Oh well, back to the gridnstone.
-------------------------------------------------------------------------------------
From: ab...@blacklotus.net <mailto:ab...@blacklotus.net>
[mailto:ab...@blacklotus.net <mailto:ab...@blacklotus.net>]
Sent: Monday, August 23, 2010 1:13 AM
To: Rick Gunderson
Subject: Re: [#78277] abuse
Our network does not allow outbound UDP from that subnet
(208.64.123.0/24 <http://208.64.123.0/24>). I
can assure you the traffic you're seeing is not originating from our
AS/network.
The traffic is most certainly spoofed and designed to cause your DNS
systems to
DDoS my network. (See DNS reflection/amplification attack).
Basically someone in control of a large botnet is sending DNS queries to
various networks with spoofed source address fields to cause response
traffic to
target our network.
I can assure you there is no outbound DNS queries from that address, our
network is blocking UDP ingress/egress from that range also.
Best regards,
On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen <n...@brevardwireless.com
<mailto:n...@brevardwireless.com>> wrote:
Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple.
http://whois.141networks.com/scripts.zip
Nick Olsen
Network Operations
(321) 205-1100 x106
------------------------------------------------------------------------
*From*: "Ralph" <ralphli...@bsrg.org <mailto:ralphli...@bsrg.org>>
*Sent*: Sunday, August 22, 2010 10:51 PM
*To*: "WISPA General List" <wireless@wispa.org
<mailto:wireless@wispa.org>>
*Subject*: Re: [WISPA] strange firewall connection
Works nicely.
Care to share the script?
Ralph
Brightlan.net
*From:* wireless-boun...@wispa.org
<mailto:wireless-boun...@wispa.org>
[mailto:wireless-boun...@wispa.org
<mailto:wireless-boun...@wispa.org>] *On Behalf Of *Nick Olsen
*Sent:* Sunday, August 22, 2010 10:37 PM
*To:* WISPA General List
*Subject:* Re: [WISPA] strange firewall connection
Yup, I run mine on a linux box. By default, linux whois hits Arin,
Or RIPE..etc. Then if the org has a private whois server it will
hit it. Where everything else just hits arin and thats it. Notice
how it hits both below.
Running 'whois '208.64.123.177''...
[Querying whois.arin.net <http://whois.arin.net>]
[Redirected to rwhois.blacklotus.net:4321
<http://rwhois.blacklotus.net:4321>]
[Querying rwhois.blacklotus.net <http://rwhois.blacklotus.net>]
I have a php script that makes this web-accessible. Anyone that
wants to use it is free to http://whois.141networks.com. However,
That is hosted from my personal residence so be gentle. :D
//me might move it to the colo here soon though..
Nick Olsen
Network Operations
(321) 205-1100 x106
------------------------------------------------------------------------
*From*: "RickG" <rgunder...@gmail.com <mailto:rgunder...@gmail.com>>
*Sent*: Sunday, August 22, 2010 10:28 PM
*To*: n...@brevardwireless.com <mailto:n...@brevardwireless.com>,
"WISPA General List" <wireless@wispa.org <mailto:wireless@wispa.org>>
*Subject*: Re: [WISPA] strange firewall connection
/interesting. Your results a bit different. who.is <http://who.is>
says:/
# Query terms are ambiguous. The query is assumed to be:
# "n + *208.64.123.177*"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
#
http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false
<http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false>
#
NetRange: 208.64.120.0 - 208.64.127.255
CIDR: 208.64.120.0/21 <http://208.64.120.0/21>
OriginAS: AS32421
NetName: NET-208-64-120-0-1
NetHandle: NET-208-64-120-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET
<http://NS1.ENTERPRISE.BLACKLOTUS.NET>
NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET
<http://NS2.ENTERPRISE.BLACKLOTUS.NET>
RegDate: 2005-12-22
Updated: 2009-11-11
Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1
OrgName: Black Lotus Communications
OrgId: BLC-92
Address: 3419 Virginia Beach Blvd. #D5
City: Virginia Beach
StateProv: VA
PostalCode: 23452
Country: US
RegDate: 2004-04-22
Updated: 2009-02-12
Comment: Please route any abuse concerns to
Ref: http://whois.arin.net/rest/org/BLC-92
ReferralServer: rwhois://rwhois.blacklotus.net:4321
<http://rwhois.blacklotus.net:4321>
OrgAbuseHandle: NOC1554-ARIN
OrgAbuseName: Network Operations Center
OrgAbusePhone: +1-314-323-3401
OrgAbuseEmail:
OrgAbuseRef: http://whois.arin.net/rest/poc/NOC1554-ARIN
OrgTechHandle: NOC1554-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-314-323-3401
OrgTechEmail:
OrgTechRef: http://whois.arin.net/rest/poc/NOC1554-ARIN
OrgNOCHandle: NOC1554-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-314-323-3401
OrgNOCEmail:
OrgNOCRef: http://whois.arin.net/rest/poc/NOC1554-ARIN
RAbuseHandle: NOC1554-ARIN
RAbuseName: Network Operations Center
RAbusePhone: +1-314-323-3401
RAbuseEmail:
RAbuseRef: http://whois.arin.net/rest/poc/NOC1554-ARIN
RTechHandle: NOC1554-ARIN
RTechName: Network Operations Center
RTechPhone: +1-314-323-3401
RTechEmail:
RTechRef: http://whois.arin.net/rest/poc/NOC1554-ARIN
RNOCHandle: NOC1554-ARIN
RNOCName: Network Operations Center
RNOCPhone: +1-314-323-3401
RNOCEmail:
RNOCRef: http://whois.arin.net/rest/poc/NOC1554-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen
<n...@brevardwireless.com <mailto:n...@brevardwireless.com>> wrote:
Using my favorite whois service. One that hits blackloutus's
Rwhois servers, the Org name I get back from them is "Aloli LTD"
Running 'whois '208.64.123.177''...
[Querying whois.arin.net <http://whois.arin.net>]
[Redirected to rwhois.blacklotus.net:4321
<http://rwhois.blacklotus.net:4321>]
[Querying rwhois.blacklotus.net <http://rwhois.blacklotus.net>]
[rwhois.blacklotus.net <http://rwhois.blacklotus.net>]
%rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net
<http://support.blacklotus.net> (Ubersmith RWhois Server V-1.6.5)
autharea=208.64.120.0/21 <http://208.64.120.0/21>
xautharea=208.64.120.0/21 <http://208.64.120.0/21>
network:Class-Name:network
network:Auth-Area:208.64.120.0/21 <http://208.64.120.0/21>
network:ID:NET-412.208.64.123.176/30
network:Network-Name:SSL enabled web sites (Mitigation Critical)
network:IP-Network:208.64.123.176/30 <http://208.64.123.176/30>
network:IP-Network-Block:208.64.123.176 - 208.64.123.179
network:Org-Name:Aloli LTD
network:Street-Address:3321 Road Town, Drake Chambers
network:City:Tortola
network:State:-
network:Postal-Code:3321
network:Country-Code:
network:Tech-Contact:MAINT-412.208.64.123.176/30
network:Created:20100818161918000
network:Updated:20100818161918000
network:Updated-By:supp...@blacklotus.net
<mailto:network%3aupdated-by%3asupp...@blacklotus.net>
network:POC-Name:Network Operations Center
network:POC-Email:supp...@blacklotus.net
<mailto:network%3apoc-email%3asupp...@blacklotus.net>
network:POC-Phone:(323) 657-5944
network:Tech-Name:Network Operations Center
network:Tech-Email:supp...@blacklotus.net
<mailto:network%3atech-email%3asupp...@blacklotus.net>
network:Tech-Phone:(323) 657-5944
%ok
Nick Olsen
Network Operations
(321) 205-1100 x106
------------------------------------------------------------------------
*From*: "RickG" <rgunder...@gmail.com <mailto:rgunder...@gmail.com>>
*Sent*: Sunday, August 22, 2010 9:54 PM
*To*: "WISPA General List" <wireless@wispa.org
<mailto:wireless@wispa.org>>
*Subject*: Re: [WISPA] strange firewall connection
I just sent them an email. Gonna beat on them & their upstream.
On Sun, Aug 22, 2010 at 9:41 PM, Chuck Hogg <ch...@shelbybb.com
<mailto:ch...@shelbybb.com>> wrote:
Apparently that ip is being used to attack quite a few people.
Paste your firewall rule here, it may be incorrect.
On Sun, Aug 22, 2010 at 7:19 PM, RickG <rgunder...@gmail.com
<mailto:rgunder...@gmail.com>> wrote:
I'm seeing a ton of connections coming from 208.64.123.177
(Blacklotus.net) to an IP address in my range (204.62.63.3)
which is not assigned to anything. The strange thing is that
when I block it, I lose DNS on my network. My RB-1000's
primary DNS is set for public (4.2.2.2) and my upstream's
(Time Warner - 76.85.228.101). Any thoughts?
*Error! Filename not specified.*
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org
<mailto:wireless@wispa.org>
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org <mailto:wireless@wispa.org>
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org <mailto:wireless@wispa.org>
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org <mailto:wireless@wispa.org>
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
