[39042] in North American Network Operators' Group
RE: for folks tracking DDOS sources or reading the GRC attack log
daemon@ATHENA.MIT.EDU (Mike Batchelor)
Mon Jun 25 19:54:48 2001
From: "Mike Batchelor" <mikebat@tmcs.net>
To: <nanog@merit.edu>
Date: Mon, 25 Jun 2001 16:54:12 -0700
Message-ID: <LLEOLJEDPHOFANPCPKOMCEIKCDAA.mikebat@tmcs.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <5.1.0.14.2.20010623220630.01da2e30@10.30.15.2>
Errors-To: owner-nanog-outgoing@merit.edu
> 24.0/8 is the "cable block".
No it's not. Check out 24.132/14 for instance.
> ARIN normally allocates residential
> cable modem subnets out of this space.
No they don't. Large parts of 24/8 are allocated to RIPE or APNIC. ARIN
has no say in how those blocks are used.
> Nearly all the cable operators
> have one slice or another from this block.
Perhaps this is true in the US.
> Nearly all North American
> cable modems users have address space in this block.
No they don't.
> Cable modems
> themselves are nearly always numbered in 10.0/8.
No they aren't.
> For those who have read the GRC web site, note that 216.216.8.x
> appears not to be a cable modem slice in any event.
Let's see, hmmmm..... lots of Windows PCs, and ports 137-139 are universally
filtered across the whole /24. Smells like cable to me.
> ARIN reports
> that this slice has been allocated to @Work, which is the commercial
> IP lease-line business unit within Excite@Home.
That is correct.
> Presence of a
> *.home.net DNS entry does not mean the system is on any cable modem
> network.
That is also correct. Thank you Dr. Obvious.
> There are no 24.0/8 addresses listed in the log at
> http://grc.com/dos/attacklog.htm
> so it isn't clear to me that any cable modems were used in that
> particular attack.
Not surprising, given your impressive slate of incorrect assumptions.
>
> Ran
> rja@inet.org
Didja ever have a bad hair day, when you just felt like being contrary for
the hell of it?
>
>
