Re: [WISPA] strange firewall connection
Ah, yes, that makes sense. Thanks! On Mon, Aug 23, 2010 at 10:10 AM, Mike Hammett wrote: > The MAC address it would report would be your upstream router. > > - > Mike Hammett > Intelligent Computing Solutionshttp://www.ics-il.com > > > On 8/23/2010 1:18 AM, RickG wrote: > > So the bastards get away with it :( > If go the mac from the connection. It was to a Juniper Networks unit. Too > bad there is not a mac/owner cross reference list. > Oh well, back to the gridnstone. > > > - > > From: ab...@blacklotus.net [mailto:ab...@blacklotus.net] > Sent: Monday, August 23, 2010 1:13 AM > To: Rick Gunderson > Subject: Re: [#78277] abuse > > Our network does not allow outbound UDP from that subnet (208.64.123.0/24). > I > > can assure you the traffic you're seeing is not originating from our > AS/network. > > The traffic is most certainly spoofed and designed to cause your DNS > systems to > > DDoS my network. (See DNS reflection/amplification attack). > > > > Basically someone in control of a large botnet is sending DNS queries to > > various networks with spoofed source address fields to cause response > traffic to > > target our network. > > > > I can assure you there is no outbound DNS queries from that address, our > > network is blocking UDP ingress/egress from that range also. > > > > Best regards, > > On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen wrote: > >> Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. >> >> http://whois.141networks.com/scripts.zip >> >> >> Nick Olsen >> Network Operations >> (321) 205-1100 x106 >> >> >> >> -- >> *From*: "Ralph" >> *Sent*: Sunday, August 22, 2010 10:51 PM >> >> *To*: "WISPA General List" >> *Subject*: Re: [WISPA] strange firewall connection >> >> >> Works nicely. >> >> Care to share the script? >> >> >> >> Ralph >> >> Brightlan.net >> >> >> >> *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On >> Behalf Of *Nick Olsen >> *Sent:* Sunday, August 22, 2010 10:37 PM >> *To:* WISPA General List >> *Subject:* Re: [WISPA] strange firewall connection >> >> >> >> Yup, I run mine on a linux box. By default, linux whois hits Arin, Or >> RIPE..etc. Then if the org has a private whois server it will hit it. Where >> everything else just hits arin and thats it. Notice how it hits both below. >> >> Running 'whois '208.64.123.177''... >> >> [Querying whois.arin.net] >> [Redirected to rwhois.blacklotus.net:4321] >> [Querying rwhois.blacklotus.net] >> >> >> >> I have a php script that makes this web-accessible. Anyone that wants to >> use it is free to http://whois.141networks.com. However, That is hosted >> from my personal residence so be gentle. :D >> >> //me might move it to the colo here soon though.. >> >> Nick Olsen >> Network Operations >> (321) 205-1100 x106 >> >> >> -- >> >> *From*: "RickG" >> *Sent*: Sunday, August 22, 2010 10:28 PM >> *To*: n...@brevardwireless.com, "WISPA General List" >> *Subject*: Re: [WISPA] strange firewall connection >> >> *interesting. Your results a bit different. who.is says:* >> >> >> >> # Query terms are ambiguous. The query is assumed to be: >> # "n + *208.64.123.177*" >> # >> # Use "?" to get help. >> # >> >> # >> # The following results may also be obtained via: >> # >> http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false >> >> # >> >> NetRange: 208.64.120.0 - 208.64.127.255 >> CIDR: 208.64.120.0/21 >> OriginAS: AS32421 >> NetName:NET-208-64-120-0-1 >> NetHandle: NET-208-64-120-0-1 >> Parent: NET-208-0-0-0-0 >> NetType:Direct Allocation >> NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET >> NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET >> RegDate:2005-12-22 >> Updated:2009-11-11 >> Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 >> >> OrgName:Black Lotus Communications >> OrgId: BLC-92 >> Address:3419 Virginia Beach Blvd. #D5 >> City: Virginia Beach &
Re: [WISPA] strange firewall connection
The MAC address it would report would be your upstream router. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com On 8/23/2010 1:18 AM, RickG wrote: So the bastards get away with it :( If go the mac from the connection. It was to a Juniper Networks unit. Too bad there is not a mac/owner cross reference list. Oh well, back to the gridnstone. - From: ab...@blacklotus.net <mailto:ab...@blacklotus.net> [mailto:ab...@blacklotus.net <mailto:ab...@blacklotus.net>] Sent: Monday, August 23, 2010 1:13 AM To: Rick Gunderson Subject: Re: [#78277] abuse Our network does not allow outbound UDP from that subnet (208.64.123.0/24 <http://208.64.123.0/24>). I can assure you the traffic you're seeing is not originating from our AS/network. The traffic is most certainly spoofed and designed to cause your DNS systems to DDoS my network. (See DNS reflection/amplification attack). Basically someone in control of a large botnet is sending DNS queries to various networks with spoofed source address fields to cause response traffic to target our network. I can assure you there is no outbound DNS queries from that address, our network is blocking UDP ingress/egress from that range also. Best regards, On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen <mailto:n...@brevardwireless.com>> wrote: Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. http://whois.141networks.com/scripts.zip Nick Olsen Network Operations (321) 205-1100 x106 *From*: "Ralph" mailto:ralphli...@bsrg.org>> *Sent*: Sunday, August 22, 2010 10:51 PM *To*: "WISPA General List" mailto:wireless@wispa.org>> *Subject*: Re: [WISPA] strange firewall connection Works nicely. Care to share the script? Ralph Brightlan.net *From:* wireless-boun...@wispa.org <mailto:wireless-boun...@wispa.org> [mailto:wireless-boun...@wispa.org <mailto:wireless-boun...@wispa.org>] *On Behalf Of *Nick Olsen *Sent:* Sunday, August 22, 2010 10:37 PM *To:* WISPA General List *Subject:* Re: [WISPA] strange firewall connection Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net <http://whois.arin.net>] [Redirected to rwhois.blacklotus.net:4321 <http://rwhois.blacklotus.net:4321>] [Querying rwhois.blacklotus.net <http://rwhois.blacklotus.net>] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 *From*: "RickG" mailto:rgunder...@gmail.com>> *Sent*: Sunday, August 22, 2010 10:28 PM *To*: n...@brevardwireless.com <mailto:n...@brevardwireless.com>, "WISPA General List" mailto:wireless@wispa.org>> *Subject*: Re: [WISPA] strange firewall connection /interesting. Your results a bit different. who.is <http://who.is> says:/ # Query terms are ambiguous. The query is assumed to be: # "n + *208.64.123.177*" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false <http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false> # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 <http://208.64.120.0/21> OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET <http://NS1.ENTERPRISE.BLACKLOTUS.NET> NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET <http://NS2.ENTERPRISE.BLACKLOTUS.NET> RegDate:2005-12-22 Updated:2009-11-11 Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:
Re: [WISPA] strange firewall connection
So the bastards get away with it :( If go the mac from the connection. It was to a Juniper Networks unit. Too bad there is not a mac/owner cross reference list. Oh well, back to the gridnstone. - From: ab...@blacklotus.net [mailto:ab...@blacklotus.net] Sent: Monday, August 23, 2010 1:13 AM To: Rick Gunderson Subject: Re: [#78277] abuse Our network does not allow outbound UDP from that subnet (208.64.123.0/24). I can assure you the traffic you're seeing is not originating from our AS/network. The traffic is most certainly spoofed and designed to cause your DNS systems to DDoS my network. (See DNS reflection/amplification attack). Basically someone in control of a large botnet is sending DNS queries to various networks with spoofed source address fields to cause response traffic to target our network. I can assure you there is no outbound DNS queries from that address, our network is blocking UDP ingress/egress from that range also. Best regards, On Sun, Aug 22, 2010 at 11:39 PM, Nick Olsen wrote: > Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. > > http://whois.141networks.com/scripts.zip > > > Nick Olsen > Network Operations > (321) 205-1100 x106 > > > > -- > *From*: "Ralph" > *Sent*: Sunday, August 22, 2010 10:51 PM > > *To*: "WISPA General List" > *Subject*: Re: [WISPA] strange firewall connection > > > Works nicely. > > Care to share the script? > > > > Ralph > > Brightlan.net > > > > *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On > Behalf Of *Nick Olsen > *Sent:* Sunday, August 22, 2010 10:37 PM > *To:* WISPA General List > *Subject:* Re: [WISPA] strange firewall connection > > > > Yup, I run mine on a linux box. By default, linux whois hits Arin, Or > RIPE..etc. Then if the org has a private whois server it will hit it. Where > everything else just hits arin and thats it. Notice how it hits both below. > > Running 'whois '208.64.123.177''... > > [Querying whois.arin.net] > [Redirected to rwhois.blacklotus.net:4321] > [Querying rwhois.blacklotus.net] > > > > I have a php script that makes this web-accessible. Anyone that wants to > use it is free to http://whois.141networks.com. However, That is hosted > from my personal residence so be gentle. :D > > //me might move it to the colo here soon though.. > > Nick Olsen > Network Operations > (321) 205-1100 x106 > > > -- > > *From*: "RickG" > *Sent*: Sunday, August 22, 2010 10:28 PM > *To*: n...@brevardwireless.com, "WISPA General List" > *Subject*: Re: [WISPA] strange firewall connection > > *interesting. Your results a bit different. who.is says:* > > > > # Query terms are ambiguous. The query is assumed to be: > # "n + *208.64.123.177*" > # > # Use "?" to get help. > # > > # > # The following results may also be obtained via: > # > http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false > > # > > NetRange: 208.64.120.0 - 208.64.127.255 > CIDR: 208.64.120.0/21 > OriginAS: AS32421 > NetName:NET-208-64-120-0-1 > NetHandle: NET-208-64-120-0-1 > Parent: NET-208-0-0-0-0 > NetType:Direct Allocation > NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET > NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET > RegDate:2005-12-22 > Updated:2009-11-11 > Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 > > OrgName:Black Lotus Communications > OrgId: BLC-92 > Address:3419 Virginia Beach Blvd. #D5 > City: Virginia Beach > StateProv: VA > PostalCode: 23452 > Country:US > RegDate:2004-04-22 > Updated:2009-02-12 > Comment:Please route any abuse concerns to > Ref:http://whois.arin.net/rest/org/BLC-92 > > ReferralServer: rwhois://rwhois.blacklotus.net:4321 > > OrgAbuseHandle: NOC1554-ARIN > OrgAbuseName: Network Operations Center > OrgAbusePhone: +1-314-323-3401 > OrgAbuseEmail: > OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN > > OrgTechHandle: NOC1554-ARIN > OrgTechName: Network Operations Center > OrgTechPhone: +1-314-323-3401 > OrgTechEmail: > OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN > > OrgNOCHandle: NOC1554-ARIN > OrgNOCName: Network Operations Center > OrgNOCPhone: +1-314-323-3401 > OrgNOCEmail: > OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN > &
Re: [WISPA] strange firewall connection
Sure, A friend of mine wrote it, So YMMV. 2 files, Pretty simple. http://whois.141networks.com/scripts.zip Nick Olsen Network Operations (321) 205-1100 x106 From: "Ralph" Sent: Sunday, August 22, 2010 10:51 PM To: "WISPA General List" Subject: Re: [WISPA] strange firewall connection Works nicely. Care to share the script? Ralph Brightlan.net From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Nick Olsen Sent: Sunday, August 22, 2010 10:37 PM To: WISPA General List Subject: Re: [WISPA] strange firewall connection Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 From: "RickG" Sent: Sunday, August 22, 2010 10:28 PM To: n...@brevardwireless.com, "WISPA General List" Subject: Re: [WISPA] strange firewall connection interesting. Your results a bit different. who.is says: # Query terms are ambiguous. The query is assumed to be: # "n + 208.64.123.177" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=f alse # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail: OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail: OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail: OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail: RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN RTechName: Network Operations Center RTechPhone: +1-314-323-3401 RTechEmail: RTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RNOCHandle: NOC1554-ARIN RNOCName: Network Operations Center RNOCPhone: +1-314-323-3401 RNOCEmail: RNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen wrote: Using my favorite whois service. One that hits blackloutus's Rwhois servers, the Org name I get back from them is "Aloli LTD" Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.6.5) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-412.208.64.123.176/30 network:Network-Name:SSL enabled web sites (Mitigation Critical) network:IP-Network:208.64.123.176/30 network:IP-Network-Block:208.64.123.176 - 208.64.123.179 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code: network:Tech-Contact:MAINT-412.208.64.123.176/30 network:Created:20100818161918000 n
Re: [WISPA] strange firewall connection
Works nicely. Care to share the script? Ralph Brightlan.net From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Nick Olsen Sent: Sunday, August 22, 2010 10:37 PM To: WISPA General List Subject: Re: [WISPA] strange firewall connection Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 <http://www.brevardwireless.com/files/email.gif> _ From: "RickG" Sent: Sunday, August 22, 2010 10:28 PM To: n...@brevardwireless.com, "WISPA General List" Subject: Re: [WISPA] strange firewall connection interesting. Your results a bit different. who.is says: # Query terms are ambiguous. The query is assumed to be: # "n + 208.64.123.177" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true <http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN= false> &showARIN=false # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to <http://who.is/email.php?domain=208.64.123.177&email=0> Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail:<http://who.is/email.php?domain=208.64.123.177&email=1> OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail:<http://who.is/email.php?domain=208.64.123.177&email=2> OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail:<http://who.is/email.php?domain=208.64.123.177&email=3> OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail:<http://who.is/email.php?domain=208.64.123.177&email=4> RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN RTechName: Network Operations Center RTechPhone: +1-314-323-3401 RTechEmail:<http://who.is/email.php?domain=208.64.123.177&email=5> RTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RNOCHandle: NOC1554-ARIN RNOCName: Network Operations Center RNOCPhone: +1-314-323-3401 RNOCEmail:<http://who.is/email.php?domain=208.64.123.177&email=6> RNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen wrote: Using my favorite whois service. One that hits blackloutus's Rwhois servers, the Org name I get back from them is "Aloli LTD" Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.6.5) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-412.208.64.123.176/30 network:Network-Name:SSL enabled web sites (Mitigation Critical) network:IP-Network:208.64.123.176/30 network:IP-Network-Block:208.64.123.176 - 208.64.123.179 network:Org-
Re: [WISPA] strange firewall connection
Yup, I run mine on a linux box. By default, linux whois hits Arin, Or RIPE..etc. Then if the org has a private whois server it will hit it. Where everything else just hits arin and thats it. Notice how it hits both below. Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] I have a php script that makes this web-accessible. Anyone that wants to use it is free to http://whois.141networks.com. However, That is hosted from my personal residence so be gentle. :D //me might move it to the colo here soon though.. Nick Olsen Network Operations (321) 205-1100 x106 From: "RickG" Sent: Sunday, August 22, 2010 10:28 PM To: n...@brevardwireless.com, "WISPA General List" Subject: Re: [WISPA] strange firewall connection interesting. Your results a bit different. who.is says: # Query terms are ambiguous. The query is assumed to be: # "n + 208.64.123.177" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=f alse # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail: OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail: OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail: OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail: RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN RTechName: Network Operations Center RTechPhone: +1-314-323-3401 RTechEmail: RTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RNOCHandle: NOC1554-ARIN RNOCName: Network Operations Center RNOCPhone: +1-314-323-3401 RNOCEmail: RNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen wrote: Using my favorite whois service. One that hits blackloutus's Rwhois servers, the Org name I get back from them is "Aloli LTD" Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.6.5) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-412.208.64.123.176/30 network:Network-Name:SSL enabled web sites (Mitigation Critical) network:IP-Network:208.64.123.176/30 network:IP-Network-Block:208.64.123.176 - 208.64.123.179 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code: network:Tech-Contact:MAINT-412.208.64.123.176/30 network:Created:20100818161918000 network:Updated:20100818161918000 network:Updated-By:supp...@blacklotus.net network:POC-Name:Network Operations Center network:POC-Email:supp...@blacklotus.net network:POC-Phone:(323) 657-5944 network:Tech-Name:Network Operations Center network:Tech-Email:supp...@blacklotus.net network:Tech-Phone:(323) 657-5944 %ok Nick Olsen Network Operations (321) 205-1100 x106 From: "RickG" Sent: Sunday, August 22, 2010 9:54 PM To: "WISPA General List" Subject: Re: [WISPA] strange firewall connection I just sent them an email. Gonna beat on them & their up
Re: [WISPA] strange firewall connection
*interesting. Your results a bit different. who.is says:* * * *# Query terms are ambiguous. The query is assumed to be: # "n + 208.64.123.177" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=208.64.123.177?showDetails=true&showARIN=false # NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName:NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate:2005-12-22 Updated:2009-11-11 Ref:http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName:Black Lotus Communications OrgId: BLC-92 Address:3419 Virginia Beach Blvd. #D5 City: Virginia Beach StateProv: VA PostalCode: 23452 Country:US RegDate:2004-04-22 Updated:2009-02-12 Comment:Please route any abuse concerns to Ref:http://whois.arin.net/rest/org/BLC-92 ReferralServer: rwhois://rwhois.blacklotus.net:4321 OrgAbuseHandle: NOC1554-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-314-323-3401 OrgAbuseEmail: OrgAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgTechHandle: NOC1554-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-314-323-3401 OrgTechEmail: OrgTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN OrgNOCHandle: NOC1554-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-314-323-3401 OrgNOCEmail: OrgNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RAbuseHandle: NOC1554-ARIN RAbuseName: Network Operations Center RAbusePhone: +1-314-323-3401 RAbuseEmail: RAbuseRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RTechHandle: NOC1554-ARIN RTechName: Network Operations Center RTechPhone: +1-314-323-3401 RTechEmail: RTechRef:http://whois.arin.net/rest/poc/NOC1554-ARIN RNOCHandle: NOC1554-ARIN RNOCName: Network Operations Center RNOCPhone: +1-314-323-3401 RNOCEmail: RNOCRef:http://whois.arin.net/rest/poc/NOC1554-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html * On Sun, Aug 22, 2010 at 10:17 PM, Nick Olsen wrote: > Using my favorite whois service. One that hits blackloutus's Rwhois > servers, the Org name I get back from them is "Aloli LTD" > > > Running 'whois '208.64.123.177''... > > [Querying whois.arin.net] > [Redirected to rwhois.blacklotus.net:4321] > [Querying rwhois.blacklotus.net] > [rwhois.blacklotus.net] > %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois > Server V-1.6.5) > autharea=208.64.120.0/21 > xautharea=208.64.120.0/21 > network:Class-Name:network > network:Auth-Area:208.64.120.0/21 > network:ID:NET-412.208.64.123.176/30 > network:Network-Name:SSL enabled web sites (Mitigation Critical) > network:IP-Network:208.64.123.176/30 > network:IP-Network-Block:208.64.123.176 - 208.64.123.179 > network:Org-Name:Aloli LTD > network:Street-Address:3321 Road Town, Drake Chambers > network:City:Tortola > network:State:- > network:Postal-Code:3321 > network:Country-Code: > network:Tech-Contact:MAINT-412.208.64.123.176/30 > network:Created:20100818161918000 > network:Updated:20100818161918000 > network:Updated-By:supp...@blacklotus.net > network:POC-Name:Network Operations Center > network:POC-Email:supp...@blacklotus.net > network:POC-Phone:(323) 657-5944 > network:Tech-Name:Network Operations Center > network:Tech-Email:supp...@blacklotus.net > network:Tech-Phone:(323) 657-5944 > %ok > > Nick Olsen > Network Operations > (321) 205-1100 x106 > > > > -- > *From*: "RickG" > *Sent*: Sunday, August 22, 2010 9:54 PM > *To*: "WISPA General List" > *Subject*: Re: [WISPA] strange firewall connection > > I just sent them an email. Gonna beat on them & their upstream. > > On Sun, Aug 22, 2010 at 9:41 PM, Chuck Hogg wrote: > >> Apparently that ip is being used to attack quite a few people. Paste your >> firewall rule here, it may be incorrect. >> >> >> >> On Sun, Aug 22, 2010 at 7:19 PM, RickG wrote: >> >>> I'm seeing a ton of connections coming from 208.64.123.177 >>> (Blacklotus.net) to an IP address in my range (204.62.63.3) which is not >>> assigned to anything. The strange thing is that when I block it, I lose DNS >>> on my network. My RB-1000's primary DNS is set for public (4.2.2.2) and my >>> upstream's (Time Warner - 76.85.228.101). Any thoughts? >>> >>> [image: Image1.j
Re: [WISPA] strange firewall connection
Using my favorite whois service. One that hits blackloutus's Rwhois servers, the Org name I get back from them is "Aloli LTD" Running 'whois '208.64.123.177''... [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.6.5) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-412.208.64.123.176/30 network:Network-Name:SSL enabled web sites (Mitigation Critical) network:IP-Network:208.64.123.176/30 network:IP-Network-Block:208.64.123.176 - 208.64.123.179 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code: network:Tech-Contact:MAINT-412.208.64.123.176/30 network:Created:20100818161918000 network:Updated:20100818161918000 network:Updated-By:supp...@blacklotus.net network:POC-Name:Network Operations Center network:POC-Email:supp...@blacklotus.net network:POC-Phone:(323) 657-5944 network:Tech-Name:Network Operations Center network:Tech-Email:supp...@blacklotus.net network:Tech-Phone:(323) 657-5944 %ok Nick Olsen Network Operations (321) 205-1100 x106 From: "RickG" Sent: Sunday, August 22, 2010 9:54 PM To: "WISPA General List" Subject: Re: [WISPA] strange firewall connection I just sent them an email. Gonna beat on them & their upstream. On Sun, Aug 22, 2010 at 9:41 PM, Chuck Hogg wrote: Apparently that ip is being used to attack quite a few people. Paste your firewall rule here, it may be incorrect. On Sun, Aug 22, 2010 at 7:19 PM, RickG wrote: I'm seeing a ton of connections coming from 208.64.123.177 (Blacklotus.net) to an IP address in my range (204.62.63.3) which is not assigned to anything. The strange thing is that when I block it, I lose DNS on my network. My RB-1000's primary DNS is set for public (4.2.2.2) and my upstream's (Time Warner - 76.85.228.101). Any thoughts? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
