Re: *scream* Cannot contact AT&T WorldNet NOC
If you don't directly connect or peer with them, have you tried going through your upstream provider to get a trouble ticket referral for their NOC? AT&T has been very good about providing the secret code-word and telephone number to their direct inter-connects and peers in the past.
Does *anyone* have a contact number for someone that does not keep asking me if I'm running a Windows machine? Every number I have for them, connects me to some moron that has no clue when I say "It appears that someone from your network is attempting to flood our network". Asking to be connected to Security gets me an e-mail address and asking for a supervisor get me "He's not avainable" Whois on att.net get me a voice mailbox saying that they are closed on the weekends. -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Affiliation given for identification not representation
On Sun, Sep 28, 1997 at 05:34:09PM -0500, Sean Donelan wrote:
If you don't directly connect or peer with them, have you tried going through your upstream provider to get a trouble ticket referral for their NOC? AT&T has been very good about providing the secret code-word and telephone number to their direct inter-connects and peers in the past.
SprintLink is our upstream. After three hours they called back and said that I "have to contact the Computer Crimes Division of the FBI". Since the attempts stoped hours ago, I'm just going to pay close attention to my logs and follow up if it happens again. Someone apparently from a WorldNet dial-up account, calling in via New Orleans and Dallas was sending large numbers of TCP connections to port 1080. That's of course the default Socks Port. We don't run socks. Never have. The connection attempts were blocked and logged. The reasons could be: 1) stupid user entered in the wrong address for a socks proxy 2) Denial of Service attack It if were #1, then why would it be coming from two different cities and why sooooo many connections. If it was #2, why am I not seeing more connections and why TCP? IT seems to me that it's kinda pointless to spoof the source address on a TCP connection unless you are *very* clever. Why only port 1080? --Eric -- Eric Wieling (eric@ccti.net), Corporate Communications Technology Sales: 504-585-7303 (sales@ccti.net), Support: 504-525-5449 (support@ccti.net) I don't bother to set my alarm clock anymore. Someone always pages me before I need to wake up anyway.
Eric Wieling writes...
Someone apparently from a WorldNet dial-up account, calling in via New Orleans and Dallas was sending large numbers of TCP connections to port 1080. That's of course the default Socks Port. We don't run socks. Never have. The connection attempts were blocked and logged.
The reasons could be:
1) stupid user entered in the wrong address for a socks proxy 2) Denial of Service attack
It if were #1, then why would it be coming from two different cities and why sooooo many connections. If it was #2, why am I not seeing more connections and why TCP? IT seems to me that it's kinda pointless to spoof the source address on a TCP connection unless you are *very* clever. Why only port 1080?
I've seen this scenario in the past, though in reverse (in other words from the "attacker" side). Here's how it went. Company X uses a proxy server for web access, which defaults to 1080. They configured all their Netscape browsers to use the proxy server. Apparently, one of the employees took home a copy of Netscape with the configuration intact. It continued to work because the proxy server also answered requests from outside the company X network. This employee further duplicated that configured copy of Netscape and passed it around to other people. Eventually a copy made it to company Z where I once worked. Company Z did not use a proxy server, and did allow outbound access to any port on the Internet. So these copies of Netscape continued to work, using company X's proxy server. Eventually company X discovered their proxy server was being "attacked" or otherwise heavy loaded from the Internet. They either shut it down or made it unreachable from the outside or it just plain crashed. I was called in to diagnose why several stations could no longer reach any web sites. I discovered this misconfiguration. Noting the pattern involved and the possibility of a like scenario repeating, and the risks that could also be involved, I set the firewall to block outgoing connects to port 1080 anywhere on the Internet. That actually "broke" quite a number of copies of Netscape, and had to result in a total in-house clean-up of all browsers. Eric, What you are seeing _might_ be as innocent as that. I don't know how hard the browser keep trying to connect when the connection is refused or not completed, but it is worth adding in to the list of scenarios so you know what you might be dealing with if it does happen to be the case. And good luck with contacting AT&T. I'm going to be putting some thought into the issue of how to implement and deploy a universal operations contact list that can be restricted to the operational staff of ISPs and major businesses on the Internet. This is something most everyone will want to have a restricted access list.
I don't bother to set my alarm clock anymore. Someone always pages me before I need to wake up anyway.
boss: Why didn't you come into work yesterday? answer: No one paged me. Was I needed? -- Phil Howard +-------------------------------------------------------------+ KA9WGN | House committee changes freedom bill to privacy invasion !! | phil at | more info: http://www.news.com/News/Item/0,4,14180,00.html | milepost.com +-------------------------------------------------------------+
Track down the people that were doing this and you'll probably find people from a company that's using your address range on an internal network and using SOCKS. My guess is that it's coming from users that are taking their laptops home or on the road. Not that I've ever made that mistake myself... :) -Geoff At 09:24 AM 9/29/97 -0500, Phil Howard wrote:
Company X uses a proxy server for web access, which defaults to 1080. They configured all their Netscape browsers to use the proxy server. Apparently, one of the employees took home a copy of Netscape with the configuration intact. It continued to work because the proxy server also answered requests from outside the company X network.
This employee further duplicated that configured copy of Netscape and passed it around to other people. Eventually a copy made it to company Z where I once worked. Company Z did not use a proxy server, and did allow outbound access to any port on the Internet. So these copies of Netscape continued to work, using company X's proxy server.
Eventually company X discovered their proxy server was being "attacked" or otherwise heavy loaded from the Internet. They either shut it down or made it unreachable from the outside or it just plain crashed.
==================================================================== Geoff Lisk Senior Network Engineer Advanced Micro Devices 1 AMD Place, Sunnyvale CA 94088 Voice: (408)749-4597 Fax: (408)774-7358 ====================================================================
On Tue, Sep 30, 1997 at 09:33:39PM -0700, Geoff Lisk wrote:
Track down the people that were doing this and you'll probably find people from a company that's using your address range on an internal network and using SOCKS. My guess is that it's coming from users that are taking their laptops home or on the road. Not that I've ever made that mistake myself... :)
I suspect that you are right. They appear to have stoped. However, since I failed to find anyway of notifying them, next time it happens they will have a copy of /bsd shoved back down the connection. It isn't exactly nice, but I'm sure that they will actually notice that something is actually wrong. --Eric -- Eric Wieling (eric@ccti.net), Corporate Communications Technology Sales: 504-585-7303 (sales@ccti.net), Support: 504-525-5449 (support@ccti.net) I don't bother to set my alarm clock anymore. Someone always pages me before I need to wake up anyway.
participants (4)
-
Eric Wieling -
Geoff Lisk -
Phil Howard -
Sean Donelan