[57391] in North American Network Operators' Group
Re: Abuse.cc ???
daemon@ATHENA.MIT.EDU (Matthew S. Hallacy)
Sat Apr 5 07:36:51 2003
Date: Sat, 5 Apr 2003 06:36:12 -0600
From: "Matthew S. Hallacy" <poptix@techmonkeys.org>
To: "McBurnett, Jim" <jmcburnett@msmgmt.com>, nanog@merit.edu
In-Reply-To: <390E55B947E7C848898AEBB9E5077060750B6B@msmdcfs01.msmgmt.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, Apr 04, 2003 at 10:51:27PM -0500, McBurnett, Jim wrote:
>
> I tell ya, what really gets me in a bad mood is when my PIX logs
> show the same IP address hitting port 80 on 25 different IP's
> and the time line is 2 seconds start to finish.
> And then you report it, and it continues after a week every single day.
> Substitute port 80 here with 1433, 139,135, and on and on..
> When a Syslog trap with a NTP sync time base and the entire log is not good
> enough, I don't know what is....
> Yesterday, I got word from a network operator that 50 entries was not sufficient.
> So I parsed 4 days's worth and sent them over 1200 messages from their block..
> have not heard back yet..
>
How was this traffic causing harm to your network? I'd rather have them
dealing with people actively breaking into systems, DoS'ing, etc than
terminating some customer who's probably infected with the latest
microsoft worm.
> Later,
> J
--
Matthew S. Hallacy FUBAR, LART, BOFH Certified
http://www.poptix.net GPG public key 0x01938203
