Ah, yes, that makes sense. Thanks!

On Mon, Aug 23, 2010 at 10:10 AM, Mike Hammett <wispawirel...@ics-il.net>wrote:

>  The MAC address it would report would be your upstream router.
>
> -----
> Mike Hammett
> Intelligent Computing Solutionshttp://www.ics-il.com
>
>
> On 8/23/2010 1:18 AM, RickG wrote:
>
> So the bastards get away with it :(
> If go the mac from the connection. It was to a Juniper Networks unit. Too
> bad there is not a mac/owner cross reference list.
> Oh well, back to the gridnstone.
>
>
> -------------------------------------------------------------------------------------
>
> From: ab...@blacklotus.net [mailto:ab...@blacklotus.net]
> Sent: Monday, August 23, 2010 1:13 AM
> To: Rick Gunderson
> Subject: Re: [#78277] abuse
>
>  Our network does not allow outbound UDP from that subnet (208.64.123.0/24).
> I
>
> can assure you the traffic you're seeing is not originating from our
> AS/network.
>
>  The traffic is most certainly spoofed and designed to cause your DNS
> systems to
>
> DDoS my network. (See DNS reflection/amplification attack).
>
>
>
> Basically someone in control of a large botnet is sending DNS queries to
>
> various networks with spoofed source address fields to cause response
> traffic to
>
> target our network.
>
>
>
> I can assure you there is no outbound DNS queries from that address, our
>
> network is blocking UDP ingress/egress from that range also.
>
>
>
> Best regards,
>
> On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen <n...@brevardwireless.com>wrote:
>
>> Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple.
>>
>> http://whois.141networks.com/scripts.zip
>>
>>
>> Nick Olsen
>> Network Operations
>> (321) 205-1100 x106
>>
>>
>>
>>  ------------------------------
>> *From*: "Ralph" <ralphli...@bsrg.org>
>> *Sent*: Sunday, August 22, 2010 10:51 PM
>>
>> *To*: "WISPA General List" <wireless@wispa.org>
>> *Subject*: Re: [WISPA] strange firewall connection
>>
>>
>>  Works nicely.
>>
>> Care to share the script?
>>
>>
>>
>> Ralph
>>
>> Brightlan.net
>>
>>
>>
>> *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On
>> Behalf Of *Nick Olsen
>> *Sent:* Sunday, August 22, 2010 10:37 PM
>> *To:* WISPA General List
>> *Subject:* Re: [WISPA] strange firewall connection
>>
>>
>>
>> Yup, I run mine on a linux box. By default, linux whois hits Arin, Or
>> RIPE..etc. Then if the org has a private whois server it will hit it. Where
>> everything else just hits arin and thats it. Notice how it hits both below.
>>
>> Running 'whois '208.64.123.177''...
>>
>> [Querying whois.arin.net]
>> [Redirected to rwhois.blacklotus.net:4321]
>> [Querying rwhois.blacklotus.net]
>>
>>
>>
>> I have a php script that makes this web-accessible. Anyone that wants to
>> use it is free to http://whois.141networks.com. However, That is hosted
>> from my personal residence so be gentle. :D
>>
>> //me might move it to the colo here soon though..
>>
>> Nick Olsen
>> Network Operations
>> (321) 205-1100 x106
>>
>>
>>  ------------------------------
>>
>> *From*: "RickG" <rgunder...@gmail.com>
>> *Sent*: Sunday, August 22, 2010 10:28 PM
>> *To*: n...@brevardwireless.com, "WISPA General List" <wireless@wispa.org>
>> *Subject*: Re: [WISPA] strange firewall connection
>>
>> *interesting. Your results a bit different. who.is says:*
>>
>>
>>
>> # Query terms are ambiguous.  The query is assumed to be:
>> #     "n + *208.64.123.177*"
>> #
>> # Use "?" to get help.
>> #
>>
>> #
>> # The following results may also be obtained via:
>> #
>> http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false
>>
>> #
>>
>> NetRange:       208.64.120.0 - 208.64.127.255
>> CIDR:           208.64.120.0/21
>> OriginAS:       AS32421
>> NetName:        NET-208-64-120-0-1
>> NetHandle:      NET-208-64-120-0-1
>> Parent:         NET-208-0-0-0-0
>> NetType:        Direct Allocation
>> NameServer:     NS1.ENTERPRISE.BLACKLOTUS.NET
>> NameServer:     NS2.ENTERPRISE.BLACKLOTUS.NET
>> RegDate:        2005-12-22
>> Updated:        2009-11-11
>> Ref:            http://whois.arin.net/rest/net/NET-208-64-120-0-1
>>
>> OrgName:        Black Lotus Communications
>> OrgId:          BLC-92
>> Address:        3419 Virginia Beach Blvd. #D5
>> City:           Virginia Beach
>> StateProv:      VA
>> PostalCode:     23452
>> Country:        US
>> RegDate:        2004-04-22
>> Updated:        2009-02-12
>> Comment:        Please route any abuse concerns to
>> Ref:            http://whois.arin.net/rest/org/BLC-92
>>
>> ReferralServer: rwhois://rwhois.blacklotus.net:4321
>>
>> OrgAbuseHandle: NOC1554-ARIN
>> OrgAbuseName:   Network Operations Center
>> OrgAbusePhone:  +1-314-323-3401
>> OrgAbuseEmail:
>> OrgAbuseRef:    http://whois.arin.net/rest/poc/NOC1554-ARIN
>>
>> OrgTechHandle: NOC1554-ARIN
>> OrgTechName:   Network Operations Center
>> OrgTechPhone:  +1-314-323-3401
>> OrgTechEmail:
>> OrgTechRef:    http://whois.arin.net/rest/poc/NOC1554-ARIN
>>
>> OrgNOCHandle: NOC1554-ARIN
>> OrgNOCName:   Network Operations Center
>> OrgNOCPhone:  +1-314-323-3401
>> OrgNOCEmail:
>> OrgNOCRef:    http://whois.arin.net/rest/poc/NOC1554-ARIN
>>
>> RAbuseHandle: NOC1554-ARIN
>> RAbuseName:   Network Operations Center
>> RAbusePhone:  +1-314-323-3401
>> RAbuseEmail:
>> RAbuseRef:    http://whois.arin.net/rest/poc/NOC1554-ARIN
>>
>> RTechHandle: NOC1554-ARIN
>> RTechName:   Network Operations Center
>> RTechPhone:  +1-314-323-3401
>> RTechEmail:
>> RTechRef:    http://whois.arin.net/rest/poc/NOC1554-ARIN
>>
>> RNOCHandle: NOC1554-ARIN
>> RNOCName:   Network Operations Center
>> RNOCPhone:  +1-314-323-3401
>> RNOCEmail:
>> RNOCRef:    http://whois.arin.net/rest/poc/NOC1554-ARIN
>>
>> #
>> # ARIN WHOIS data and services are subject to the Terms of Use
>> # available at: https://www.arin.net/whois_tou.html
>>
>> On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen <n...@brevardwireless.com>
>> wrote:
>>
>> Using my favorite whois service. One that hits blackloutus's Rwhois
>> servers, the Org name I get back from them is "Aloli LTD"
>>
>>  Running 'whois '208.64.123.177''...
>>
>> [Querying whois.arin.net]
>> [Redirected to rwhois.blacklotus.net:4321]
>> [Querying rwhois.blacklotus.net]
>> [rwhois.blacklotus.net]
>> %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois
>> Server V-1.6.5)
>> autharea=208.64.120.0/21
>> xautharea=208.64.120.0/21
>> network:Class-Name:network
>> network:Auth-Area:208.64.120.0/21
>> network:ID:NET-412.208.64.123.176/30
>> network:Network-Name:SSL enabled web sites (Mitigation Critical)
>> network:IP-Network:208.64.123.176/30
>> network:IP-Network-Block:208.64.123.176 - 208.64.123.179
>> network:Org-Name:Aloli LTD
>> network:Street-Address:3321 Road Town, Drake Chambers
>> network:City:Tortola
>> network:State:-
>> network:Postal-Code:3321
>> network:Country-Code:
>> network:Tech-Contact:MAINT-412.208.64.123.176/30
>> network:Created:20100818161918000
>> network:Updated:20100818161918000
>> network:Updated-By:supp...@blacklotus.net<network%3aupdated-by%3asupp...@blacklotus.net>
>> network:POC-Name:Network Operations Center
>> network:POC-Email:supp...@blacklotus.net<network%3apoc-email%3asupp...@blacklotus.net>
>> network:POC-Phone:(323) 657-5944
>> network:Tech-Name:Network Operations Center
>> network:Tech-Email:supp...@blacklotus.net<network%3atech-email%3asupp...@blacklotus.net>
>> network:Tech-Phone:(323) 657-5944
>> %ok
>>
>> Nick Olsen
>> Network Operations
>> (321) 205-1100 x106
>>
>>
>>  ------------------------------
>>
>> *From*: "RickG" <rgunder...@gmail.com>
>> *Sent*: Sunday, August 22, 2010 9:54 PM
>> *To*: "WISPA General List" <wireless@wispa.org>
>> *Subject*: Re: [WISPA] strange firewall connection
>>
>> I just sent them an email. Gonna beat on them & their upstream.
>>
>> On Sun, Aug 22, 2010 at 9:41 PM, Chuck Hogg <ch...@shelbybb.com> wrote:
>>
>> Apparently that ip is being used to attack quite a few people.  Paste your
>> firewall rule here, it may be incorrect.
>>
>>
>>
>>
>>
>> On Sun, Aug 22, 2010 at 7:19 PM, RickG <rgunder...@gmail.com> wrote:
>>
>>  I'm seeing a ton of connections coming from 208.64.123.177
>> (Blacklotus.net) to an IP address in my range (204.62.63.3) which is not
>> assigned to anything. The strange thing is that when I block it, I lose DNS
>> on my network. My RB-1000's primary DNS is set for public (4.2.2.2) and my
>> upstream's (Time Warner - 76.85.228.101). Any thoughts?
>>
>>
>>
>> *Error! Filename not specified.*
>>
>>
>>
>> --------------------------------------------------------------------------------
>> WISPA Wants You! Join today!
>> http://signup.wispa.org/
>>
>> --------------------------------------------------------------------------------
>>
>> WISPA Wireless List: wireless@wispa.org
>>
>> Subscribe/Unsubscribe:
>> http://lists.wispa.org/mailman/listinfo/wireless
>>
>> Archives: http://lists.wispa.org/pipermail/wireless/
>>
>>
>>
>>
>>
>>
>>
>> --------------------------------------------------------------------------------
>> WISPA Wants You! Join today!
>> http://signup.wispa.org/
>>
>> --------------------------------------------------------------------------------
>>
>> WISPA Wireless List: wireless@wispa.org
>>
>> Subscribe/Unsubscribe:
>> http://lists.wispa.org/mailman/listinfo/wireless
>>
>> Archives: http://lists.wispa.org/pipermail/wireless/
>>
>>
>>
>>
>>
>>
>> --------------------------------------------------------------------------------
>> WISPA Wants You! Join today!
>> http://signup.wispa.org/
>>
>> --------------------------------------------------------------------------------
>>
>> WISPA Wireless List: wireless@wispa.org
>>
>> Subscribe/Unsubscribe:
>> http://lists.wispa.org/mailman/listinfo/wireless
>>
>> Archives: http://lists.wispa.org/pipermail/wireless/
>>
>>
>>
>>
>>
>>
>> --------------------------------------------------------------------------------
>> WISPA Wants You! Join today!
>> http://signup.wispa.org/
>>
>> --------------------------------------------------------------------------------
>>
>> WISPA Wireless List: wireless@wispa.org
>>
>> Subscribe/Unsubscribe:
>> http://lists.wispa.org/mailman/listinfo/wireless
>>
>> Archives: http://lists.wispa.org/pipermail/wireless/
>>
>
>
>
>
> --------------------------------------------------------------------------------
> WISPA Wants You! Join today!http://signup.wispa.org/
> --------------------------------------------------------------------------------
>
> WISPA Wireless List: wireless@wispa.org
>
> Subscribe/Unsubscribe:http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives: http://lists.wispa.org/pipermail/wireless/
>
>
>
>
>
> --------------------------------------------------------------------------------
> WISPA Wants You! Join today!
> http://signup.wispa.org/
>
> --------------------------------------------------------------------------------
>
> WISPA Wireless List: wireless@wispa.org
>
> Subscribe/Unsubscribe:
> http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives: http://lists.wispa.org/pipermail/wireless/
>

--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to