The following is some dialogue that I posted to the DShield.org list last night, trying to figure out why I was seeing these odd traceroute probes in my firewall logs at home. I post it here for two reasons: [1] Does anyone have any experience with InterNAP's FCP-500 product? I was looking for some additional technical info beyond what is on their web site. Contact me off-list, of course. And, [2] Just thought some of you might be interested. :-) - ferg ---------- Forwarded Message ---------- Just as an FYI follow-up to last night's e-mails from me to on the list [subject line above], I received this from InterNAP this morning. Though I'd share... - feeg ---------- Forwarded Message ---------- We have received the following notice regarding trace route traffic originating from our network, so I thought I would give respond to give you a bit of piece of mind. The packets you are seeing are actually a very GOOD thing. Our datacenter employs a technology which tunes BGP routing tables for outbound traffic to provide the highest performing route path. On average, this shaves 35-40ms off the round-trip time for network performance. The device which performs these operations is called an Internap FCP-500. You can view more information at http://www.internap.com/products/route-optimization.htm Chances are, your public IP address was part of communication with our datacenter. Since over 10,000 web sites are hosted in our center, it is a very likely case that you accessed a web site, which then triggered the performance platform to probe round-trip times via traditional trace route and ping protocols. Once you communicate with the datacenter for the first time, the device will continue to probe the pathway for performance data periodically, and adjust routes accordingly. The end result is, a better performing experience since the packets take the best performing pathway through the Internet from the datacenter to the end user. Regards, Susan Cook ________________________________ Susan Cook | AUP Enforcement [contact info elided] -----Original Message----- From: abuse@internap.com [mailto:abuse@internap.com] Posted At: Wednesday, August 10, 2005 9:46 PM Posted To: Data393 Abuse Conversation: [ABUSE] Re: [Dshield] Dst. ports 33438, 33437 (64.95.255.255) [data393] Subject: [ABUSE] Re: [Dshield] Dst. ports 33438, 33437 (64.95.255.255) [data393] Internap has received an abuse complaint related to the possible distribution of unsolicited e-mail (spam) or a possible security violation from you or one of your customers. We are forwarding the complaint to you so that you may take appropriate measures to address the issue. The purpose of this message is to inform you of a complaint we have received as if you had received the complaint directly. We have not verified the accuracy of the complaint nor is this an accusation that the said incident has occurred. Internap will not embark upon any punitive action regarding spam or security complaints without explicitly and formally contacting you regarding a clear, verified complaint, or a pattern of abuse. Please refer to http://www.internap.com/about/policies.html for general questions regarding Internap's stance on spam or abuse. Please direct any questions regarding this specific issue to abuse@internap.com. ---------- Forwarded message ---------- From: "Fergie (Paul Ferguson)" <<removed>@netzero.net> Date: Thu, 11 Aug 2005 03:39:43 GMT To: list@lists.dshield.org Cc: abuse@internap.com Subject: Re: [Dshield] Dst. ports 33438, 33437 ...and, now I see an adjacent port as well: 2005-08-10 21:21:48 -05:00 87744681 1 64.94.45.10 14484 67.64.90.x 33436 udp 64.94.45.10 --> fcp-2.chg.pnap.net Hmmm. OrgName: Internap Network Services OrgID: PNAP Address: 250 Williams Street Address: Suite E100 City: Atlanta StateProv: GA PostalCode: 30303 Country: US NetRange: 64.94.0.0 - 64.95.255.255 CIDR: 64.94.0.0/15 NetName: PNAP-05-2000 NetHandle: NET-64-94-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1.PNAP.NET NameServer: NS2.PNAP.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2000-06-05 Updated: 2002-06-17 TechHandle: INO3-ARIN TechName: InterNap Network Operations Center TechPhone: +1-877-843-4662 TechEmail: noc@internap.com OrgAbuseHandle: IAC3-ARIN OrgAbuseName: Internap Abuse Contact OrgAbusePhone: +1-206-256-9500 OrgAbuseEmail: abuse@internap.com OrgTechHandle: INO3-ARIN OrgTechName: InterNap Network Operations Center OrgTechPhone: +1-877-843-4662 OrgTechEmail: noc@internap.com # ARIN WHOIS database, last updated 2005-08-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Tracing to: 64.94.45.10 1 legacy26-0.default.csail.mit.edu (18.26.0.1) [AS3] 0 ms 0 ms 0 ms 2 kalgan.trantor.csail.mit.edu (128.30.0.245) [AS40] 0 ms 0 ms 0 ms 3 B24-RTR-2-CSAIL.MIT.EDU (18.4.7.1) [AS3] 90 ms 96 ms 2 ms 4 EXTERNAL-RTR-2-BACKBONE.MIT.EDU (18.168.0.27) [AS3] 0 ms 0 ms 0 ms 5 EXTERNAL-RTR-1-BACKBONE.MIT.EDU (18.168.0.18) [AS3] 1 ms 1 ms 1 ms 6 ge-6-23.car2.Boston1.Level3.net (4.79.2.1) [AS3356] 1 ms 1 ms 1 ms 7 ae-1-51.mp1.Boston1.Level3.net (4.68.100.1) [AS3356] 1 ms 1 ms 1 ms 8 so-3-1-0.bbr1.Chicago1.Level3.net (64.159.4.178) [AS3356] 21 ms ae-0-0.bbr2.Chicago1.Level3.net (64.159.1.34) [AS3356] 21 ms so-3-1-0.bbr1.Chicago1.Level3.net (64.159.4.178) [AS3356] 21 ms 9 ge-7-0.ipcolo1.Chicago1.Level3.net (4.68.101.42) [AS3356] 21 ms ge-7-1.ipcolo1.Chicago1.Level3.net (4.68.101.106) [AS3356] 21 ms ge-9-1.ipcolo1.Chicago1.Level3.net (4.68.101.74) [AS3356] 21 ms 10 unknown.Level3.net (209.247.34.166) [AS3356] 21 ms 21 ms 21 ms 11 border6.ge4-1-bbnet2.chg.pnap.net (64.94.32.75) [AS19024] 51 ms 21 ms 21 ms 12 fcp1.chg.pnap.net (64.94.45.96) [AS19024] 21 ms 21 ms 21 ms 13 * * * 14 * * * What's up with that? Very, very odd... - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/ -- "Fergie (Paul Ferguson)" <fergdawg@netzero.net> wrote: ..and a traceroute form MIT: Tracing to: 208.42.224.238 1 legacy26-0.default.csail.mit.edu (18.26.0.1) [AS3] 0 ms 0 ms 0 ms 2 kalgan.trantor.csail.mit.edu (128.30.0.245) [AS40] 0 ms 0 ms 0 ms 3 B24-RTR-2-CSAIL.MIT.EDU (18.4.7.1) [AS3] 0 ms 9 ms 1 ms 4 EXTERNAL-RTR-2-BACKBONE.MIT.EDU (18.168.0.27) [AS3] 68 ms 108 ms 9 ms 5 EXTERNAL-RTR-1-BACKBONE.MIT.EDU (18.168.0.18) [AS3] 1 ms 1 ms 1 ms 6 ge-6-23.car2.Boston1.Level3.net (4.79.2.1) [AS3356] 1 ms 1 ms 1 ms 7 ae-1-53.mp1.Boston1.Level3.net (4.68.100.65) [AS3356] 1 ms 1 ms 1 ms 8 as-0-0.bbr2.Denver1.Level3.net (64.159.4.226) [AS3356] 43 ms ae-0-0.bbr1.Denver1.Level3.net (64.159.1.113) [AS3356] 43 ms as-0-0.bbr2.Denver1.Level3.net (64.159.4.226) [AS3356] 43 ms 9 so-6-0.hsa1.Denver1.Level3.net (4.68.112.154) [AS3356] 44 ms 43 ms 4.68.113.54 (4.68.113.54) [AS3356] 43 ms 10 4.79.80.14 (4.79.80.14) [AS3356] 44 ms 44 ms 44 ms 11 core-b.v33.ge-4-5.Level3.edge3.data393.net (208.42.224.117) [AS29863] 44 ms 44 ms 44 ms * * * * * * - ferg -- "Fergie (Paul Ferguson)" <fergdawg@netzero.net> wrote: WHOIS info leaves me with everything EXCEPT the warm and fuzzies: OrgName: Data393 Inc. OrgID: DATA3 Address: 393 Inverness Parkway City: Englewood StateProv: CO PostalCode: 80112-5855 Country: US NetRange: 208.42.224.0 - 208.42.255.255 CIDR: 208.42.224.0/19 NetName: D393-DC-INVERNESS1 NetHandle: NET-208-42-224-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation NameServer: NS1.DATA393.NET NameServer: NS2.DATA393.NET Comment: RegDate: 2004-01-28 Updated: 2004-04-21 AbuseHandle: IPADM77-ARIN AbuseName: IP Administration AbusePhone: +1-303-268-1500 AbuseEmail: NOCHandle: IPADM77-ARIN NOCName: IP Administration NOCPhone: +1-303-268-1500 NOCEmail: ip-addr@data393.net TechHandle: IPADM77-ARIN TechName: IP Administration TechPhone: +1-303-268-1500 TechEmail: ip-addr@data393.net OrgTechHandle: IPADM77-ARIN OrgTechName: IP Administration OrgTechPhone: +1-303-268-1500 OrgTechEmail: ip-addr@data393.net # ARIN WHOIS database, last updated 2005-08-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. - ferg -- "Fergie (Paul Ferguson)" <fergdawg@netzero.net> wrote: I fired this e-mail off before I dug into it deeper... Duh. Late night, beer, etc. The reverse lookup on the source addres reveals: 208.42.224.238: performance-check-via-SAVVIS.THIS-IS_HARMLESS-It_is_a_Traceroute_or_Ping _packet.BGP-route-control.data393.net Now, the next question is why they're picking my home SBC DSL host address (which I NAT out of) for this excerise... - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/