Security Incidents mailing list archives
Re: Unwanted DNS connection attempts
From: Richard Bejtlich <bejtlich () ALTAVISTA NET>
Date: Wed, 6 Sep 2000 13:40:48 -0000
AJ, Just to clarify -- Alex wrote the initial post, and I made the first reply. Thanks for doing the IP resolution legwork. Now that we know Starmedia is involved, I know for a fact that this is load balancing. I dealt with this company personally last year regarding the same sort of traffic, then from New Jersey and Brazil. Exodus is Starmedia's service provider. I can dig up the emails from Starmedia's tech support if needed. Alex's .ro address is not necessarily relevant as the destination, as a person connecting to a Starmedia server could be located anywhere with similar results. Richard
Alex, I beg to differ on your last sentence.
Richard's email addy was .ro, which
matches with the destination IP of
192.129.3.227.
The first IP listed above, 200.211.187.194,
ARINs to a co. in San Paulo, Brazil.
The second IP, 209.67.42.162, is indeed under
Exodus, but "belongs" to a company
in New York called "Starmedia". I wouldn't blame Exodus for this. Not entirely
at least. From what I recall of
glancing around in the 2 Exodus centers I've
been in, I don't recall seeing any
F5 hardware. Others in that block follow suit. -aj.
Current thread:
- Unwanted DNS connection attempts razor (Sep 05)
- <Possible follow-ups>
- Re: Unwanted DNS connection attempts Richard Bejtlich (Sep 05)
- Re: Unwanted DNS connection attempts Aj Effin ReznoR (Sep 05)
- Re: detecting "trinity v3 by self" DDoS agent Philippe Bourcier (Sep 06)
- Re: Unwanted DNS connection attempts Aj Effin ReznoR (Sep 06)
- Re: Unwanted DNS connection attempts Aj Effin ReznoR (Sep 05)
- Re: Unwanted DNS connection attempts Richard Bejtlich (Sep 06)