[12647] in North American Network Operators' Group
Re: *scream* Cannot contact AT&T WorldNet NOC
daemon@ATHENA.MIT.EDU (Jonathan Clark)
Mon Sep 29 14:42:53 1997
From: "Jonathan Clark" <jhc@wnmail.wndev.att.com>
Date: Mon, 29 Sep 1997 09:17:59 -0400
In-Reply-To: Eric Wieling <eric@ccti.net>
"Re: *scream* Cannot contact AT&T WorldNet NOC" (Sep 28, 19:17)
To: nanog@merit.edu
To answer your question about #1, we backhaul our dial-in calls all
over the place. The same user dialling back in to the same number could
easily end up in one of three or four IP blocks which are in turn
associated with different cities in the DNS.
Jonathan
--
Someone apparently from a WorldNet dial-up account, calling in via
New Orleans and Dallas was sending large numbers of TCP connections
to port 1080. That's of course the default Socks Port. We don't run
socks. Never have. The connection attempts were blocked and logged.
The reasons could be:
1) stupid user entered in the wrong address for a socks proxy
2) Denial of Service attack
It if were #1, then why would it be coming from two different cities
and why sooooo many connections. If it was #2, why am I not seeing
more connections and why TCP? IT seems to me that it's kinda
pointless to spoof the source address on a TCP connection unless you
are *very* clever. Why only port 1080?
--Eric
--
Eric Wieling (eric@ccti.net), Corporate Communications Technology
Sales: 504-585-7303 (sales@ccti.net), Support: 504-525-5449 (support@ccti.net)
I don't bother to set my alarm clock anymore. Someone always pages
me before I need to wake up anyway.
>-- End of excerpt from Eric Wieling
