[67746] in North American Network Operators' Group
Verizon clients DOS own site?
daemon@ATHENA.MIT.EDU (Elkind_Rob@emc.com)
Thu Feb 19 15:57:53 2004
From: Elkind_Rob@emc.com
To: nanog@merit.edu
Date: Thu, 19 Feb 2004 15:57:15 -0500
Errors-To: owner-nanog-outgoing@merit.edu
Anyone else seeing this, it started up a few weeks ago.
We have a number of home users that VPN to our corporate network who =
are
using Verizon DSL as their Internet provider. While they are connected =
to
the corporate network they are generating tons of hits to
'supportcenter.verizon.net' (206.46.187.54)
Here's a basic trace:
host.on.my.net -> 206.46.187.54 TCP 49980 > HTTP [ACK]=20
host.on.my.net -> 206.46.187.54 HTTP GET =
/sbconfigservlet/sbconfigservlet
HTTP/1.1
206.46.187.54 -> host.on.my.net HTTP HTTP/1.1 404 Not found
Here's the text of the transaction:
host.on.my.net
GET /sbconfigservlet/sbconfigservlet HTTP/1.1
Accept: */*
Accept-Language: en
If-Modified-Since: Mon, 09 Feb 2004 22:49:47 GMT
User-Agent: Motive HTTP Client
Host: supportcenter.verizon.net
Connection: Keep-Alive
Cache-Control: no-cache
reply from 206.46.187.54
HTTP/1.1 404 Not found
Server: Netscape-Enterprise/6.0
Date: Tue, 10 Feb 2004 19:37:05 GMT
Content-type: text/html
Content-length: 292
<HEAD><META HTTP-EQUIV=3D"Content-Type"
CONTENT=3D"text/html;charset=3DISO-8859-1"><TITLE>Not
Found</TITLE></HEAD><H1>Not Found</H1> The requested object does not =
exist
on this server. The link you followed is either outdated, inaccurate, =
or the
server has been instructed not to let you have it.
This repeates over and over again many times a second while the client =
is
connected.
My guess is that these client files are the ones that initiate the
conversation from the client:
C:\program files\verizon\online\supportcenter\bin\matcli.exe
C:\program files\verizon\online\supportcenter\bin\mpbtn.exe
I'm seeing millions of hits to this site from just our ~100 users using
Verizon per week. I have to think that world wide, Verizon clients are
generating enough traffic to DOS themselves.
I've tried contacting Verizon via email but I haven't received a =
response
and their tech support had no information on this. Although we're now
blocking this site and trying to clean up the clients, this is still
generation a lot of noise on our network. Any ideas on how to get =
Verizon to
take a look at this?=20
Any input is welcome.
Thanks,
> Rob Elkind
Information Security Engineer=20
> EMC=B2 =09
> where information lives
>=20
> Email: elkind_rob@emc.com
> =20
>=20
