Re: MASSIVE ssh attack attempt

[brendan () AUSTCO COM AU (Brendan Grieve)]

<Snip>
> > interesting traceroute of 210.134.59.39
> >
> >
> >
> > 17  Sendai1.IIJ.Net (202.232.3.2)  349.523 ms  359.412 ms  340.129 ms
> > 18  yamabikogw.iij.net (210.130.153.70)  567.680 ms  559.349 ms  559.639
ms
> > 19  sendai1.iij.net (210.130.153.69)  570.052 ms  599.384 ms  610.118 ms
> > 20  yamabikogw.iij.net (210.130.153.70)  858.527 ms  789.406 ms  799.505
ms
> > seems to bounce back and forth
> >
> > and again for 124.64.2.61
> >
> >  5  fe-0-0.core3.cvg1.one.net (216.23.31.3)  109.816 ms  109.456 ms
110.571 ms
> >  6  cvx1800-1.cvg1.one.net (207.78.244.150)  118.531 ms  119.431 ms
119.569 ms
> >  7  fe-0-1.core3.cvg1.one.net (207.78.244.1)  130.067 ms  119.407 ms
109.601 ms
> >  8  cvx1800-1.cvg1.one.net (207.78.244.150)  119.541 ms  130.000 ms
128.536 ms
> >  9  fe-0-1.core3.cvg1.one.net (207.78.244.1)  129.589 ms  169.247 ms
130.184 ms
> > (one net is my isp from which i am tracerouting and those are routers)

<Snip>

Actually, quite explainable. Quite a few ISP's I've noticed use this
technique on their Static Dial-up lines. Essentially you "buy" a permanent
dial up connection, and get a static IP. However, when you lose connection,
the router reconfigures to deliberately have a loop so that any packets are
quickly killed (Why I have not figured out). All thats happening is that at
the time you're doing a traceroute, the connection to these accounts are not
established. I'm not sure if ISP's do the same to their dynamic dial ups (I
assume so)

Cheers
Brendan