What on earth?

Discussion in 'other firewalls' started by Mike_Healan, Aug 5, 2002.

Thread Status:
Not open for further replies.
  1. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    This person was a fellow customer of my ISP (judging from the IP address). This nonsense went on for hours until I got tired of it and asked several friends with very large bandwidth to "convince" this person to go offline.
    What on Earth were they trying to do here?

     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Maybe a kid playing with SuperScan?

    Or, if it was directed at you, maybe one of your neighbors doesn't like you (or whoever it was)?

    Complaints to the ISP involved, including logfiles, would probably actually work in this instance, since the behavior was so sustained. Pete
     
  3. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    If complaints to your ISP fail to resolve it, ask the guy his hat size.
     
  4. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    Well, considering how we "convinced" him right offline ........

    *cough* *cough*

    He did it twice actually now that I think of it. He went offline after doing it for hours, then 30 minutes or so later another IP (also at my ISP) started the same s**t, so we "convinced" him he should be offline again.
    I'm just wondering what the heck he was trying to do.
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    That's funny. I just put that addy. into Karen's URL Discombobulator and it came back with this: 0.0.18.254

    ?

    Pete
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Also, I'm getting 'no such host' and similar messages on SamSpade using the original addy.

    Got any spooks living in your 'hood? Black vans parked in front of your house? Pete
     
  7. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    It pings, though.
     
  8. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    * Mike goes to poke at the bush that's sprouted up in the backyard since yesterday .......
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    :D Yeah, it pings. NeoTrace is doing a better job. You're in Atlanta, huh?

    (Note: SamSpade worked much better when i dropped the last four numbers, too! <g> ). Pete
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hey Mike,

    TCP Null packets contain a sequence but no flags - illegal in fact. Attackers could create crafted packets with flase IP addresess (IP Spoofing), making them hard(er) to track down. In that case, a trace back might lead to an innocent third party.

    The TPC Null packet is commonly used to identify listening TCP ports. There are DDoS tools around using Null, like Trinity (aka MyServer or Plague) - listening to TCP 33270, when idle connecting to IRC server on 6667.

    Seems like someone is trying to give you a hard time (IP spoofed or not), possibly trying to DDoS you.

    Looks like Kerio(?) is handling it well though ;).

    Take care.

    paul
     
  11. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
  12. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    Interesting. Last week, someone with an IP that traced back to yahoo.com kept probing at ports 5000 and 5001.

    My IP changes when I go online just like any other dialup customer, so they're not after me. Think this is someone scanning the whole netblock? Sort of hard to believe someone has the bandwidth to scan the whole block continuously for hours like that.
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ahh..didn't know that.

    Seems like it.

    Could be part of the block. Bandwidth does not have to be a problem.

    regards.

    paul
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Mike - If the bush checked out okay, look to the sky - them pesky reptilian aliens could be up to something again...
     
  15. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    We are watching you for your own good, Peteling. Do not complain about the new growth in your garden either - it is home to those who seek to administer your planet wisely. It is the bush administration.
     
  16. snowy

    snowy Guest

    Mike

    Beginning Friday an lasting until the a.m hours of Monday......I notice a trememdous amount of "traffic"....in fact, for the first time ever I reported a sub-seven attack to my ip.....from a person also using my ip......requesting only that the person be contacted and advised that his/her machine may be compromised.......(the person's machine did not even have a firewall)
    it would appears to me that there were massive DOOS attacks going on over the weekend........its now Monday afternoon my area........an the net is very quiet

    snowman
     
  17. snowy

    snowy Guest

    Mike

    by the way...have you noticed any unusual amount of "internet broadcast" on upd port 68.......its supposedly coming from "assigned numbers "

    snowman
     
  18. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    One time a figment of my imagination came down outta the sky n gave me a chicklet.
     
  19. snowy

    snowy Guest

    Detox

    naw....that was just an egg hatching....dropped from the earthship chickenlittle
     
  20. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Oh, that's what (who) it is! I feel much better (or is it worse?). Now, you've reminded me to re-read "1984", while I can still get my hands on a copy.
     
  21. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Paul, I was looking at the timing in the two logs and in the first one to me it looks more like a concerted effort to probe a bunch of ports looking for an opening. With 3+ second intervals, its not much of a Dos attack.
    On the second log, although there are not many entries to look at, it looks like that could be an attempted DoS.
    I am not that familiar with some of this and I don't know if someone would be taking the time and effort to spoof and run null scans on Mike, unless he really got to somebody.
    Also that second log showing port 5000 could be some moron guessing that he had XP and had not secured port 5000 properly.
    If I'm not mistaken, spoofing takes some smarts and some time to pull off. All in all, interesting to say the least. :)
    Nice to know you have friends that can help out in a pinch, Mike.
     
  22. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    No, nothing on port 68 that I can think of.

    root, here's some more of that log so you can see what I was dealing with that night. There's so much that I didn't want to flood out the thread.
     
  23. snowy

    snowy Guest

    Mike

    the 66.218.*** is that the url thats was involded??
    Thats assigned to a <yahoo> account. if thats not you....??

    snowman
     
  24. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    Yeah, that's what was so weird about it. I couldn't figure why on Earth someone at yahoo was hammering at my firewall like that. I sent an abuse email to abuse@ and netblockadmin@ yahoo.com and CCed to my ISP. The ISP looked at their logs and said they'd see what they could find out. Haven't heard back about it.
     
  25. snowy

    snowy Guest

    Mike

    not really so strange...<yahoo> is now an internet service provider.....one of its "customers" perhaps? an somehow got hold of your address?
    the udp is what I find interesting because I also was being hammered......but didn't notice it except my cpu was running at full blast like the swap files had lost comtrol.....
    By dis-connecting and stoping all outbound then I got an alert that an Internet Broadcast (udp port6:cool: was prevented.........in fact its happening right now!.....I realize the need for the assigned numbers part...but this is highly unusual.....enormous traffic!!

    snowman
     
Thread Status:
Not open for further replies.