Security Incidents mailing list archives
Re: [Fwd: Taiwan again?]
From: changshu <changshu () MAIL MOE GOV TW>
Date: Mon, 21 Aug 2000 16:22:06 +0800
Hi: I am one of the administrators of TANet. The IP address of 134.208.251.254 is a Cisco router, and 203.72.38.100 is another router. From the log in the router of 134.208.251.254, there is nothing strange. Please check it again. Thanks. Jann-Perng Tseng wrote:
------------------------------------------------------------------------ Subject: Taiwan again? Date: Sun, 20 Aug 2000 13:10:06 -0400 (EDT) From: Donald McLachlan <don () mainframe dgrc crc ca> To: incidents () securityfocus com CC: sanger () moers4 edu tw, tanetadm () MOE EDU TW, tseng () mail moe gov tw Between 2:47 and 3:39 (GMT -0400) we received 232 of these: 02:47:58.314993 134.208.251.254 > AAA.AA.AAA.27: icmp: host AAA.AA.AAA.63 unreachable - admin prohibited filter (ttl 235, id 44814) 4500 0038 af0e 0000 eb01 596f 86d0 fbfe XXXX XX1b 030d 0765 0000 0000 4500 0060 0000 0000 7c11 b579 XXXX XX1b XXXX XX3f 0089 0089 004c OK, it is Taiwan again, but what's the point? Maybe a DoS against 134.208.251.254? 1) XXX.XX.XXX.27 is an unused address, so no stimulus packet came from there. If there was a stimulus packet, it was spoofed. 2) XXX.XX.XXX.63 is also an unused address. 3) When trying to ping/telnet/traceroute to 134.208.251.254 I get: 12:12:02.301678 203.72.38.100 > XXX.XX.XXX.223: icmp: host 134.208.251.254 unreachable (ttl 233, id 0) TTL does not match. Either the source address of the unreachable message has been spoofed, or routing has changed slightly. 4) who are they anyway. 134.208.251.254 = SEEDNet-TANet.edu.tw 203.72.38.100 does not have a reverse DNS entry. 5) 'dig -x soa' reveals for both addresses have the same soa. ;; AUTHORITY RECORDS: 38.72.203.in-addr.arpa. 7921 SOA moevax.edu.tw. sanger.moers4.edu.tw. ( ----- ;; AUTHORITY RECORDS: 208.134.in-addr.arpa. 172800 SOA moevax.edu.tw. sanger.moers4.edu.tw. ( 6) Arin (arin/apnic) for both addresses reveals: arin 134.208.251.254 Ministry of Education Computer Center (NET-ACANET-TWN) 12th Fl, 106, Hoping E. Road, Sec 2. Taiwan Republic of China, R.O.C TW Netname: ACANET-TWN Netblock: 134.208.0.0 - 134.208.255.255 Coordinator: TANet, Administrator (AT122-ARIN) tanetadm () MOE EDU TW 886-2-27377010 Domain System inverse mapping provided by: MOEVAX.EDU.TW 140.111.1.2 MOESUN.EDU.TW 140.111.1.20 Record last updated on 14-Apr-1999. Database last updated on 18-Aug-2000 17:55:21 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. ----- obelix don> arin 203.72.38.100 Asia Pacific Network Information Center (APNIC2) so ... apnic 203.72.38.100 % Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html [ snip ]inetnum: 203.72.38.0 - 203.72.38.255 netname: T-NCTU.EDU-NET descr: CHIAO TUNG UNIVERSITY descr: 1001, TA HSUEH RD., descr: HEINCHU Taiwan country: TW admin-c: TCL5-TW tech-c: TCL5-TW remarks: This information has been partially mirrored by APNIC from remarks: TWNIC. To obtain more specific information, please use the remarks: TWNIC whois server at whois.twnic.net. mnt-by: TWNIC-AP changed: tseng () mail moe gov tw 19991005 source: TWNIC[ snip ] 7) Just to see what it says (LOL): /usr/ucb/whois -h whois.twnic.net 203.72.38.100 whois: connect: Connection refused I've Cc'ed this message to tseng () mail moe gov tw, tanetadm () MOE EDU TW, and sanger () moers4 edu tw. Lets see what they have to say about this.
-- ------- ±Ð¨|³¡¹qºâ¤¤¤ß §õªø¾ð (02)2737-7010 # 297
Current thread:
- Re: [Fwd: Taiwan again?] changshu (Aug 21)