[12639] in North American Network Operators' Group
Re: *scream* Cannot contact AT&T WorldNet NOC
daemon@ATHENA.MIT.EDU (Eric Wieling)
Sun Sep 28 20:23:19 1997
Date: Sun, 28 Sep 1997 19:17:43 -0500
From: Eric Wieling <eric@ccti.net>
To: nanog@merit.edu
In-Reply-To: <970928173409.1985e@SDG.DRA.COM>; from Sean Donelan on Sun, Sep 28, 1997 at 05:34:09PM -0500
On Sun, Sep 28, 1997 at 05:34:09PM -0500, Sean Donelan wrote:
> If you don't directly connect or peer with them, have you tried going
> through your upstream provider to get a trouble ticket referral for their
> NOC? AT&T has been very good about providing the secret code-word and
> telephone number to their direct inter-connects and peers in the past.
SprintLink is our upstream. After three hours they called back and
said that I "have to contact the Computer Crimes Division of the
FBI". Since the attempts stoped hours ago, I'm just going to pay
close attention to my logs and follow up if it happens again.
Someone apparently from a WorldNet dial-up account, calling in via
New Orleans and Dallas was sending large numbers of TCP connections
to port 1080. That's of course the default Socks Port. We don't run
socks. Never have. The connection attempts were blocked and logged.
The reasons could be:
1) stupid user entered in the wrong address for a socks proxy
2) Denial of Service attack
It if were #1, then why would it be coming from two different cities
and why sooooo many connections. If it was #2, why am I not seeing
more connections and why TCP? IT seems to me that it's kinda
pointless to spoof the source address on a TCP connection unless you
are *very* clever. Why only port 1080?
--Eric
--
Eric Wieling (eric@ccti.net), Corporate Communications Technology
Sales: 504-585-7303 (sales@ccti.net), Support: 504-525-5449 (support@ccti.net)
I don't bother to set my alarm clock anymore. Someone always pages
me before I need to wake up anyway.
