Ah, yes, that makes sense. Thanks! On Mon, Aug 23, 2010 at 10:10 AM, Mike Hammett <wispawirel...@ics-il.net>wrote:
> The MAC address it would report would be your upstream router. > > ----- > Mike Hammett > Intelligent Computing Solutionshttp://www.ics-il.com > > > On 8/23/2010 1:18 AM, RickG wrote: > > So the bastards get away with it :( > If go the mac from the connection. It was to a Juniper Networks unit. Too > bad there is not a mac/owner cross reference list. > Oh well, back to the gridnstone. > > > ------------------------------------------------------------------------------------- > > From: ab...@blacklotus.net [mailto:ab...@blacklotus.net] > Sent: Monday, August 23, 2010 1:13 AM > To: Rick Gunderson > Subject: Re: [#78277] abuse > > Our network does not allow outbound UDP from that subnet (208.64.123.0/24). > I > > can assure you the traffic you're seeing is not originating from our > AS/network. > > The traffic is most certainly spoofed and designed to cause your DNS > systems to > > DDoS my network. (See DNS reflection/amplification attack). > > > > Basically someone in control of a large botnet is sending DNS queries to > > various networks with spoofed source address fields to cause response > traffic to > > target our network. > > > > I can assure you there is no outbound DNS queries from that address, our > > network is blocking UDP ingress/egress from that range also. > > > > Best regards, > > On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen <n...@brevardwireless.com>wrote: > >> Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. >> >> http://whois.141networks.com/scripts.zip >> >> >> Nick Olsen >> Network Operations >> (321) 205-1100 x106 >> >> >> >> ------------------------------ >> *From*: "Ralph" <ralphli...@bsrg.org> >> *Sent*: Sunday, August 22, 2010 10:51 PM >> >> *To*: "WISPA General List" <wireless@wispa.org> >> *Subject*: Re: [WISPA] strange firewall connection >> >> >> Works nicely. >> >> Care to share the script? >> >> >> >> Ralph >> >> Brightlan.net >> >> >> >> *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On >> Behalf Of *Nick Olsen >> *Sent:* Sunday, August 22, 2010 10:37 PM >> *To:* WISPA General List >> *Subject:* Re: [WISPA] strange firewall connection >> >> >> >> Yup, I run mine on a linux box. By default, linux whois hits Arin, Or >> RIPE..etc. Then if the org has a private whois server it will hit it. Where >> everything else just hits arin and thats it. Notice how it hits both below. >> >> Running 'whois '208.64.123.177''... >> >> [Querying whois.arin.net] >> [Redirected to rwhois.blacklotus.net:4321] >> [Querying rwhois.blacklotus.net] >> >> >> >> I have a php script that makes this web-accessible. Anyone that wants to >> use it is free to http://whois.141networks.com. However, That is hosted >> from my personal residence so be gentle. :D >> >> //me might move it to the colo here soon though.. >> >> Nick Olsen >> Network Operations >> (321) 205-1100 x106 >> >> >> ------------------------------ >> >> *From*: "RickG" <rgunder...@gmail.com> >> *Sent*: Sunday, August 22, 2010 10:28 PM >> *To*: n...@brevardwireless.com, "WISPA General List" <wireless@wispa.org> >> *Subject*: Re: [WISPA] strange firewall connection >> >> *interesting. Your results a bit different. who.is says:* >> >> >> >> # Query terms are ambiguous. The query is assumed to be: >> # "n + *208.64.123.177*" >> # >> # Use "?" to get help. >> # >> >> # >> # The following results may also be obtained via: >> # >> http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false >> >> # >> >> NetRange: 208.64.120.0 - 208.64.127.255 >> CIDR: 208.64.120.0/21 >> OriginAS: AS32421 >> NetName: NET-208-64-120-0-1 >> NetHandle: NET-208-64-120-0-1 >> Parent: NET-208-0-0-0-0 >> NetType: Direct Allocation >> NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET >> NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET >> RegDate: 2005-12-22 >> Updated: 2009-11-11 >> Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1 >> >> OrgName: Black Lotus Communications >> OrgId: BLC-92 >> Address: 3419 Virginia Beach Blvd. #D5 >> City: Virginia Beach >> StateProv: VA >> PostalCode: 23452 >> Country: US >> RegDate: 2004-04-22 >> Updated: 2009-02-12 >> Comment: Please route any abuse concerns to >> Ref: http://whois.arin.net/rest/org/BLC-92 >> >> ReferralServer: rwhois://rwhois.blacklotus.net:4321 >> >> OrgAbuseHandle: NOC1554-ARIN >> OrgAbuseName: Network Operations Center >> OrgAbusePhone: +1-314-323-3401 >> OrgAbuseEmail: >> OrgAbuseRef: http://whois.arin.net/rest/poc/NOC1554-ARIN >> >> OrgTechHandle: NOC1554-ARIN >> OrgTechName: Network Operations Center >> OrgTechPhone: +1-314-323-3401 >> OrgTechEmail: >> OrgTechRef: http://whois.arin.net/rest/poc/NOC1554-ARIN >> >> OrgNOCHandle: NOC1554-ARIN >> OrgNOCName: Network Operations Center >> OrgNOCPhone: +1-314-323-3401 >> OrgNOCEmail: >> OrgNOCRef: http://whois.arin.net/rest/poc/NOC1554-ARIN >> >> RAbuseHandle: NOC1554-ARIN >> RAbuseName: Network Operations Center >> RAbusePhone: +1-314-323-3401 >> RAbuseEmail: >> RAbuseRef: http://whois.arin.net/rest/poc/NOC1554-ARIN >> >> RTechHandle: NOC1554-ARIN >> RTechName: Network Operations Center >> RTechPhone: +1-314-323-3401 >> RTechEmail: >> RTechRef: http://whois.arin.net/rest/poc/NOC1554-ARIN >> >> RNOCHandle: NOC1554-ARIN >> RNOCName: Network Operations Center >> RNOCPhone: +1-314-323-3401 >> RNOCEmail: >> RNOCRef: http://whois.arin.net/rest/poc/NOC1554-ARIN >> >> # >> # ARIN WHOIS data and services are subject to the Terms of Use >> # available at: https://www.arin.net/whois_tou.html >> >> On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen <n...@brevardwireless.com> >> wrote: >> >> Using my favorite whois service. One that hits blackloutus's Rwhois >> servers, the Org name I get back from them is "Aloli LTD" >> >> Running 'whois '208.64.123.177''... >> >> [Querying whois.arin.net] >> [Redirected to rwhois.blacklotus.net:4321] >> [Querying rwhois.blacklotus.net] >> [rwhois.blacklotus.net] >> %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois >> Server V-1.6.5) >> autharea=208.64.120.0/21 >> xautharea=208.64.120.0/21 >> network:Class-Name:network >> network:Auth-Area:208.64.120.0/21 >> network:ID:NET-412.208.64.123.176/30 >> network:Network-Name:SSL enabled web sites (Mitigation Critical) >> network:IP-Network:208.64.123.176/30 >> network:IP-Network-Block:208.64.123.176 - 208.64.123.179 >> network:Org-Name:Aloli LTD >> network:Street-Address:3321 Road Town, Drake Chambers >> network:City:Tortola >> network:State:- >> network:Postal-Code:3321 >> network:Country-Code: >> network:Tech-Contact:MAINT-412.208.64.123.176/30 >> network:Created:20100818161918000 >> network:Updated:20100818161918000 >> network:Updated-By:supp...@blacklotus.net<network%3aupdated-by%3asupp...@blacklotus.net> >> network:POC-Name:Network Operations Center >> network:POC-Email:supp...@blacklotus.net<network%3apoc-email%3asupp...@blacklotus.net> >> network:POC-Phone:(323) 657-5944 >> network:Tech-Name:Network Operations Center >> network:Tech-Email:supp...@blacklotus.net<network%3atech-email%3asupp...@blacklotus.net> >> network:Tech-Phone:(323) 657-5944 >> %ok >> >> Nick Olsen >> Network Operations >> (321) 205-1100 x106 >> >> >> ------------------------------ >> >> *From*: "RickG" <rgunder...@gmail.com> >> *Sent*: Sunday, August 22, 2010 9:54 PM >> *To*: "WISPA General List" <wireless@wispa.org> >> *Subject*: Re: [WISPA] strange firewall connection >> >> I just sent them an email. Gonna beat on them & their upstream. >> >> On Sun, Aug 22, 2010 at 9:41 PM, Chuck Hogg <ch...@shelbybb.com> wrote: >> >> Apparently that ip is being used to attack quite a few people. Paste your >> firewall rule here, it may be incorrect. >> >> >> >> >> >> On Sun, Aug 22, 2010 at 7:19 PM, RickG <rgunder...@gmail.com> wrote: >> >> I'm seeing a ton of connections coming from 208.64.123.177 >> (Blacklotus.net) to an IP address in my range (204.62.63.3) which is not >> assigned to anything. The strange thing is that when I block it, I lose DNS >> on my network. My RB-1000's primary DNS is set for public (4.2.2.2) and my >> upstream's (Time Warner - 76.85.228.101). Any thoughts? >> >> >> >> *Error! Filename not specified.* >> >> >> >> -------------------------------------------------------------------------------- >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> >> -------------------------------------------------------------------------------- >> >> WISPA Wireless List: wireless@wispa.org >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> >> >> >> >> >> >> >> -------------------------------------------------------------------------------- >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> >> -------------------------------------------------------------------------------- >> >> WISPA Wireless List: wireless@wispa.org >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> >> >> >> >> >> >> -------------------------------------------------------------------------------- >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> >> -------------------------------------------------------------------------------- >> >> WISPA Wireless List: wireless@wispa.org >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> >> >> >> >> >> >> -------------------------------------------------------------------------------- >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> >> -------------------------------------------------------------------------------- >> >> WISPA Wireless List: wireless@wispa.org >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today!http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe:http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ >
-------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
