The MAC address it would report would be your upstream router.

-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com



On 8/23/2010 1:18 AM, RickG wrote:
So the bastards get away with it :(
If go the mac from the connection. It was to a Juniper Networks unit. Too bad there is not a mac/owner cross reference list.
Oh well, back to the gridnstone.

-------------------------------------------------------------------------------------

From: ab...@blacklotus.net <mailto:ab...@blacklotus.net> [mailto:ab...@blacklotus.net <mailto:ab...@blacklotus.net>]
Sent: Monday, August 23, 2010 1:13 AM
To: Rick Gunderson
Subject: Re: [#78277] abuse

Our network does not allow outbound UDP from that subnet (208.64.123.0/24 <http://208.64.123.0/24>). I

can assure you the traffic you're seeing is not originating from our AS/network.

The traffic is most certainly spoofed and designed to cause your DNS systems to

DDoS my network. (See DNS reflection/amplification attack).

Basically someone in control of a large botnet is sending DNS queries to

various networks with spoofed source address fields to cause response traffic to

target our network.

I can assure you there is no outbound DNS queries from that address, our

network is blocking UDP ingress/egress from that range also.

Best regards,


On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen <n...@brevardwireless.com <mailto:n...@brevardwireless.com>> wrote:

    Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple.

    http://whois.141networks.com/scripts.zip


    Nick Olsen
    Network Operations
    (321) 205-1100 x106



    ------------------------------------------------------------------------
    *From*: "Ralph" <ralphli...@bsrg.org <mailto:ralphli...@bsrg.org>>
    *Sent*: Sunday, August 22, 2010 10:51 PM

    *To*: "WISPA General List" <wireless@wispa.org
    <mailto:wireless@wispa.org>>
    *Subject*: Re: [WISPA] strange firewall connection


    Works nicely.

    Care to share the script?

    Ralph

    Brightlan.net

    *From:* wireless-boun...@wispa.org
    <mailto:wireless-boun...@wispa.org>
    [mailto:wireless-boun...@wispa.org
    <mailto:wireless-boun...@wispa.org>] *On Behalf Of *Nick Olsen
    *Sent:* Sunday, August 22, 2010 10:37 PM
    *To:* WISPA General List
    *Subject:* Re: [WISPA] strange firewall connection

    Yup, I run mine on a linux box. By default, linux whois hits Arin,
    Or RIPE..etc. Then if the org has a private whois server it will
    hit it. Where everything else just hits arin and thats it. Notice
    how it hits both below.

    Running 'whois '208.64.123.177''...

    [Querying whois.arin.net <http://whois.arin.net>]
    [Redirected to rwhois.blacklotus.net:4321
    <http://rwhois.blacklotus.net:4321>]
    [Querying rwhois.blacklotus.net <http://rwhois.blacklotus.net>]



    I have a php script that makes this web-accessible. Anyone that
    wants to use it is free to http://whois.141networks.com. However,
    That is hosted from my personal residence so be gentle. :D

    //me might move it to the colo here soon though..

    Nick Olsen
    Network Operations
    (321) 205-1100 x106

    ------------------------------------------------------------------------

    *From*: "RickG" <rgunder...@gmail.com <mailto:rgunder...@gmail.com>>
    *Sent*: Sunday, August 22, 2010 10:28 PM
    *To*: n...@brevardwireless.com <mailto:n...@brevardwireless.com>,
    "WISPA General List" <wireless@wispa.org <mailto:wireless@wispa.org>>
    *Subject*: Re: [WISPA] strange firewall connection

    /interesting. Your results a bit different. who.is <http://who.is>
    says:/

    # Query terms are ambiguous.  The query is assumed to be:
    #     "n + *208.64.123.177*"
    #
    # Use "?" to get help.
    #

    #
    # The following results may also be obtained via:
    #
    
http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false
    
<http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false>

    #

    NetRange:       208.64.120.0 - 208.64.127.255
    CIDR: 208.64.120.0/21 <http://208.64.120.0/21>
    OriginAS:       AS32421
    NetName:        NET-208-64-120-0-1
    NetHandle:      NET-208-64-120-0-1
    Parent:         NET-208-0-0-0-0
    NetType:        Direct Allocation
    NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET
    <http://NS1.ENTERPRISE.BLACKLOTUS.NET>
    NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET
    <http://NS2.ENTERPRISE.BLACKLOTUS.NET>
    RegDate:        2005-12-22
    Updated:        2009-11-11
    Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1

    OrgName:        Black Lotus Communications
    OrgId:          BLC-92
    Address:        3419 Virginia Beach Blvd. #D5
    City:           Virginia Beach
    StateProv:      VA
    PostalCode:     23452
    Country:        US
    RegDate:        2004-04-22
    Updated:        2009-02-12
    Comment:        Please route any abuse concerns to
    Ref: http://whois.arin.net/rest/org/BLC-92

    ReferralServer: rwhois://rwhois.blacklotus.net:4321
    <http://rwhois.blacklotus.net:4321>

    OrgAbuseHandle: NOC1554-ARIN
    OrgAbuseName:   Network Operations Center
    OrgAbusePhone:  +1-314-323-3401
    OrgAbuseEmail:
    OrgAbuseRef: http://whois.arin.net/rest/poc/NOC1554-ARIN

    OrgTechHandle: NOC1554-ARIN
    OrgTechName:   Network Operations Center
    OrgTechPhone:  +1-314-323-3401
    OrgTechEmail:
    OrgTechRef: http://whois.arin.net/rest/poc/NOC1554-ARIN

    OrgNOCHandle: NOC1554-ARIN
    OrgNOCName:   Network Operations Center
    OrgNOCPhone:  +1-314-323-3401
    OrgNOCEmail:
    OrgNOCRef: http://whois.arin.net/rest/poc/NOC1554-ARIN

    RAbuseHandle: NOC1554-ARIN
    RAbuseName:   Network Operations Center
    RAbusePhone:  +1-314-323-3401
    RAbuseEmail:
    RAbuseRef: http://whois.arin.net/rest/poc/NOC1554-ARIN

    RTechHandle: NOC1554-ARIN
    RTechName:   Network Operations Center
    RTechPhone:  +1-314-323-3401
    RTechEmail:
    RTechRef: http://whois.arin.net/rest/poc/NOC1554-ARIN

    RNOCHandle: NOC1554-ARIN
    RNOCName:   Network Operations Center
    RNOCPhone:  +1-314-323-3401
    RNOCEmail:
    RNOCRef: http://whois.arin.net/rest/poc/NOC1554-ARIN

    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html

    On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen
    <n...@brevardwireless.com <mailto:n...@brevardwireless.com>> wrote:

    Using my favorite whois service. One that hits blackloutus's
    Rwhois servers, the Org name I get back from them is "Aloli LTD"

    Running 'whois '208.64.123.177''...

    [Querying whois.arin.net <http://whois.arin.net>]
    [Redirected to rwhois.blacklotus.net:4321
    <http://rwhois.blacklotus.net:4321>]
    [Querying rwhois.blacklotus.net <http://rwhois.blacklotus.net>]
    [rwhois.blacklotus.net <http://rwhois.blacklotus.net>]
    %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net
    <http://support.blacklotus.net> (Ubersmith RWhois Server V-1.6.5)
    autharea=208.64.120.0/21 <http://208.64.120.0/21>
    xautharea=208.64.120.0/21 <http://208.64.120.0/21>
    network:Class-Name:network
    network:Auth-Area:208.64.120.0/21 <http://208.64.120.0/21>
    network:ID:NET-412.208.64.123.176/30
    network:Network-Name:SSL enabled web sites (Mitigation Critical)
    network:IP-Network:208.64.123.176/30 <http://208.64.123.176/30>
    network:IP-Network-Block:208.64.123.176 - 208.64.123.179
    network:Org-Name:Aloli LTD
    network:Street-Address:3321 Road Town, Drake Chambers
    network:City:Tortola
    network:State:-
    network:Postal-Code:3321
    network:Country-Code:
    network:Tech-Contact:MAINT-412.208.64.123.176/30
    network:Created:20100818161918000
    network:Updated:20100818161918000
    network:Updated-By:supp...@blacklotus.net
    <mailto:network%3aupdated-by%3asupp...@blacklotus.net>
    network:POC-Name:Network Operations Center
    network:POC-Email:supp...@blacklotus.net
    <mailto:network%3apoc-email%3asupp...@blacklotus.net>
    network:POC-Phone:(323) 657-5944
    network:Tech-Name:Network Operations Center
    network:Tech-Email:supp...@blacklotus.net
    <mailto:network%3atech-email%3asupp...@blacklotus.net>
    network:Tech-Phone:(323) 657-5944
    %ok

    Nick Olsen
    Network Operations
    (321) 205-1100 x106

    ------------------------------------------------------------------------

    *From*: "RickG" <rgunder...@gmail.com <mailto:rgunder...@gmail.com>>
    *Sent*: Sunday, August 22, 2010 9:54 PM
    *To*: "WISPA General List" <wireless@wispa.org
    <mailto:wireless@wispa.org>>
    *Subject*: Re: [WISPA] strange firewall connection

    I just sent them an email. Gonna beat on them & their upstream.

    On Sun, Aug 22, 2010 at 9:41 PM, Chuck Hogg <ch...@shelbybb.com
    <mailto:ch...@shelbybb.com>> wrote:

    Apparently that ip is being used to attack quite a few people.
     Paste your firewall rule here, it may be incorrect.

    On Sun, Aug 22, 2010 at 7:19 PM, RickG <rgunder...@gmail.com
    <mailto:rgunder...@gmail.com>> wrote:

        I'm seeing a ton of connections coming from 208.64.123.177
        (Blacklotus.net) to an IP address in my range (204.62.63.3)
        which is not assigned to anything. The strange thing is that
        when I block it, I lose DNS on my network. My RB-1000's
        primary DNS is set for public (4.2.2.2) and my upstream's
        (Time Warner - 76.85.228.101). Any thoughts?

        *Error! Filename not specified.*


        
--------------------------------------------------------------------------------
        WISPA Wants You! Join today!
        http://signup.wispa.org/
        
--------------------------------------------------------------------------------

        WISPA Wireless List: wireless@wispa.org
        <mailto:wireless@wispa.org>

        Subscribe/Unsubscribe:
        http://lists.wispa.org/mailman/listinfo/wireless

        Archives: http://lists.wispa.org/pipermail/wireless/




    
--------------------------------------------------------------------------------
    WISPA Wants You! Join today!
    http://signup.wispa.org/
    
--------------------------------------------------------------------------------

    WISPA Wireless List: wireless@wispa.org <mailto:wireless@wispa.org>

    Subscribe/Unsubscribe:
    http://lists.wispa.org/mailman/listinfo/wireless

    Archives: http://lists.wispa.org/pipermail/wireless/





    
--------------------------------------------------------------------------------
    WISPA Wants You! Join today!
    http://signup.wispa.org/
    
--------------------------------------------------------------------------------

    WISPA Wireless List: wireless@wispa.org <mailto:wireless@wispa.org>

    Subscribe/Unsubscribe:
    http://lists.wispa.org/mailman/listinfo/wireless

    Archives: http://lists.wispa.org/pipermail/wireless/




    
--------------------------------------------------------------------------------
    WISPA Wants You! Join today!
    http://signup.wispa.org/
    
--------------------------------------------------------------------------------

    WISPA Wireless List: wireless@wispa.org <mailto:wireless@wispa.org>

    Subscribe/Unsubscribe:
    http://lists.wispa.org/mailman/listinfo/wireless

    Archives: http://lists.wispa.org/pipermail/wireless/





--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------

WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to