Abusive traffic from Microsoft China?
Just wondering if anyone else is seeing huge random floods of traffic from: inetnum: 202.96.51.128 - 202.96.51.255 netname: MICROSOFT-CO descr: Microsft (China) Co.Ltd country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: MAINT-CNCGROUP-BJ changed: suny@publicf.bta.net.cn 20060926 status: ALLOCATED NON-PORTABLE source: APNIC changed: suny@publicf.bta.net.cn 20060926 On a nearly daily basis we see them randomly open thousands of connections from a variety of addresses in that block to multiple servers. I've emailed of coruse but that results in nothing. Probably will just end up blocking them. Thanks, David
Looks fishy. Why would a company the size of Microsoft register a single /25? I doubt MS really owns that block. Sounds more like a hacker playground to me. Chuck -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of David Hubbard Sent: Thursday, November 08, 2007 12:23 PM To: nanog@merit.edu Subject: Abusive traffic from Microsoft China? Just wondering if anyone else is seeing huge random floods of traffic from: inetnum: 202.96.51.128 - 202.96.51.255 netname: MICROSOFT-CO descr: Microsft (China) Co.Ltd country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: MAINT-CNCGROUP-BJ changed: suny@publicf.bta.net.cn 20060926 status: ALLOCATED NON-PORTABLE source: APNIC changed: suny@publicf.bta.net.cn 20060926 On a nearly daily basis we see them randomly open thousands of connections from a variety of addresses in that block to multiple servers. I've emailed of coruse but that results in nothing. Probably will just end up blocking them. Thanks, David
On 11/8/07, Church, Charles <cchurc05@harris.com> wrote:
Looks fishy. Why would a company the size of Microsoft register a single /25? I doubt MS really owns that block. Sounds more like a
They have a small office there serviced by a dsl link to the local telco (CNCGroup)... This happens all the time.
hacker playground to me.
maybe, probably not though.
Chuck
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of David Hubbard Sent: Thursday, November 08, 2007 12:23 PM To: nanog@merit.edu Subject: Abusive traffic from Microsoft China?
Just wondering if anyone else is seeing huge random floods of traffic from:
inetnum: 202.96.51.128 - 202.96.51.255 netname: MICROSOFT-CO descr: Microsft (China) Co.Ltd country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: MAINT-CNCGROUP-BJ changed: suny@publicf.bta.net.cn 20060926 status: ALLOCATED NON-PORTABLE source: APNIC changed: suny@publicf.bta.net.cn 20060926
On a nearly daily basis we see them randomly open thousands of connections from a variety of addresses in that block to multiple servers. I've emailed of coruse but that results in nothing. Probably will just end up blocking them.
Thanks,
David
Yeah.. I would nmap it, see whats there and check for web sites etc. Also check revdns/fwddns for the address space and see if they match and have microsoft registered domains. -- Leigh Church, Charles wrote:
Looks fishy. Why would a company the size of Microsoft register a single /25? I doubt MS really owns that block. Sounds more like a hacker playground to me.
Chuck
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of David Hubbard Sent: Thursday, November 08, 2007 12:23 PM To: nanog@merit.edu Subject: Abusive traffic from Microsoft China?
Just wondering if anyone else is seeing huge random floods of traffic from:
inetnum: 202.96.51.128 - 202.96.51.255 netname: MICROSOFT-CO descr: Microsft (China) Co.Ltd country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: MAINT-CNCGROUP-BJ changed: suny@publicf.bta.net.cn 20060926 status: ALLOCATED NON-PORTABLE source: APNIC changed: suny@publicf.bta.net.cn 20060926
On a nearly daily basis we see them randomly open thousands of connections from a variety of addresses in that block to multiple servers. I've emailed of coruse but that results in nothing. Probably will just end up blocking them.
Thanks,
David
Looks fishy. Why would a company the size of Microsoft register a single /25? I doubt MS really owns that block.
especially since I think MS knows how to spell its own name:
descr: Microsft (China) Co.Ltd -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
I am seeing what I can find out about this block. Thanks, Christian -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Dave Pooser Sent: Thursday, November 08, 2007 9:59 AM To: nanog@merit.edu Subject: Re: Abusive traffic from Microsoft China?
Looks fishy. Why would a company the size of Microsoft register a single /25? I doubt MS really owns that block.
especially since I think MS knows how to spell its own name:
descr: Microsft (China) Co.Ltd -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
On 11/8/07, Dave Pooser <dave.nanog@alfordmedia.com> wrote:
Looks fishy. Why would a company the size of Microsoft register a single /25? I doubt MS really owns that block.
especially since I think MS knows how to spell its own name:
descr: Microsft (China) Co.Ltd
they provider (CNC group) does all of this, MS/the-customer-in-question doesn't touch this...(sure they can complain 'you spelled me wrong', but)
What are you seeing? port 80 traffic? port 25? thousands of random connections sounds like web indexing to me. -Dan On Thu, 8 Nov 2007, David Hubbard wrote:
Just wondering if anyone else is seeing huge random floods of traffic from:
inetnum: 202.96.51.128 - 202.96.51.255 netname: MICROSOFT-CO descr: Microsft (China) Co.Ltd country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: MAINT-CNCGROUP-BJ changed: suny@publicf.bta.net.cn 20060926 status: ALLOCATED NON-PORTABLE source: APNIC changed: suny@publicf.bta.net.cn 20060926
On a nearly daily basis we see them randomly open thousands of connections from a variety of addresses in that block to multiple servers. I've emailed of coruse but that results in nothing. Probably will just end up blocking them.
Thanks,
David
participants (8)
-
Christian Nielsen -
Christopher Morrow -
Christopher Morrow -
Church, Charles -
Dave Pooser -
David Hubbard -
goemon@anime.net -
Leigh Porter