Security Incidents mailing list archives
Re: New DNS connection with SYN ACK
From: John Hall <j.hall () f5 com>
Date: Mon, 14 Jan 2002 18:02:58 -0800
I can guarantee this is not a F5 Networks box. We've spent significant effort both making our probes innocuous as well as educating our customers to be very conservative when sending probes. Also, our probes would have a unique signature in the packet's ID field that these packet dumps do not show. I'm sorry that I can't identify the product creating these packets. I've attached some detailed whois records on the addresses you recorded. Many of them seem to be tied to various content delivery networks, so the theory that they are RTT measurements used to monitor/optimize global load balancing solutions is probably the right one. Some of the CDN providers probe repeatedly over time to monitor global routing state, which many people do seem to have a problem with. Their claim is that they are improving the quality of the Internet experience for people on your network. I can see their point, but some of them do seem to go overboard with the probing. Most of them will put you on a "do not probe" list, if you ask. JMH Jason Dixon wrote:
Yes, I worked at F5 Networks (BIG-IP, 3DNS, etc.) for a while doing product support. I can verify that this is a common complaint associated with this type of product. -J. === message truncated ===
-------------------------------------------------------------------------------
128.121.10.146
[whois.arin.net]
Verio, Inc. (NET-VRIO-128-121)
8005 South Chester Street
Englewood, CO 80112
US
Netname: VRIO-128-121
Netblock: 128.121.0.0 - 128.121.255.255
Maintainer: VRIO
Coordinator:
Verio, Inc. (VIA4-ORG-ARIN) vipar () verio net
303.645.1900
Domain System inverse mapping provided by:
NS0.VERIO.NET 129.250.15.61
NS1.VERIO.NET 204.91.99.140
NS2.VERIO.NET 129.250.31.190
********************************************
Reassignment information for this block is
available at rwhois.verio.net port 4321
********************************************
Record last updated on 26-Sep-2001.
Database last updated on 14-Jan-2002 02:32:30 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
[rwhois.verio.net]
Mirror Image (NETBLK-C052-128-121-10-144) C052-128-121-10-144
128.121.10.144 - 128.121.10.151
Verio Data Centers - Sterling/Dulles (NETBLK-VRIO-128-121-000) VRIO-128-121-000
128.121.0.0 - 128.121.31.255
Verio Inc. (NETBLK-VRIO-128-121) VRIO-128-121 128.121.0.0 - 128.121.255.255
To single out one record, look it up with "xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.
This database contains ONLY records under the administrative control of
Verio, Inc. No portion of this data may be used for anything other
than Internet operational purposes.
-------------------------------------------------------------------------------
128.242.105.34
[whois.arin.net]
Verio, Inc. (NET-VRIO-128-242)
8005 South Chester Street
Englewood, CO 80112
US
Netname: VRIO-128-242
Netblock: 128.242.0.0 - 128.242.255.255
Maintainer: VRIO
Coordinator:
Verio, Inc. (VIA4-ORG-ARIN) vipar () verio net
303.645.1900
Domain System inverse mapping provided by:
NS0.VERIO.NET 129.250.15.61
NS1.VERIO.NET 204.91.99.140
NS2.VERIO.NET 129.250.31.190
********************************************
Reassignment information for this block is
available at rwhois.verio.net port 4321
********************************************
Record last updated on 26-Sep-2001.
Database last updated on 14-Jan-2002 02:32:30 EDT.
[rwhois.verio.net]
Mirror Image Internet (NETBLK-C053-128-242-105-32) C053-128-242-105-32
128.242.105.32 - 128.242.105.35
Verio Data Centers - San Jose - Lundy (NETBLK-C053-128-242-096) C053-128-242-096
128.242.96.0 - 128.242.127.255
Verio Inc. (NETBLK-VRIO-128-242) VRIO-128-242 128.242.0.0 - 128.242.255.255
To single out one record, look it up with "xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.
This database contains ONLY records under the administrative control of
Verio, Inc. No portion of this data may be used for anything other
than Internet operational purposes.
-------------------------------------------------------------------------------
129.250.244.10
[whois.arin.net]
Verio, Inc. (NET-VRIO-129-250)
8005 South Chester Street
Englewood, CO 80112
US
Netname: VRIO-129-250
Netblock: 129.250.0.0 - 129.250.255.255
Maintainer: VRIO
Coordinator:
Verio, Inc. (VIA4-ORG-ARIN) vipar () verio net
303.645.1900
Domain System inverse mapping provided by:
NS0.VERIO.NET 129.250.15.61
NS1.VERIO.NET 204.91.99.140
NS2.VERIO.NET 129.250.31.190
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
********************************************
Reassignment information for this block is
available at rwhois.verio.net port 4321
********************************************
Record last updated on 26-Sep-2001.
Database last updated on 14-Jan-2002 02:32:30 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
[rwhois.verio.net]
NTT/Verio (NETBLK-NET-INF-NUMBERED-INTERFACES) NET-INF-NUMBERED-INTERFACES
129.250.244.0 - 129.250.244.255
Verio Data Centers - Dallas (NETBLK-VRIO-129-250-240) VRIO-129-250-240
129.250.240.0 - 129.250.247.255
Verio Inc. (NETBLK-VRIO-BB) VRIO-BB 129.250.0.0 - 129.250.255.255
To single out one record, look it up with "xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.
This database contains ONLY records under the administrative control of
Verio, Inc. No portion of this data may be used for anything other
than Internet operational purposes.
-------------------------------------------------------------------------------
193.148.15.128
[whois.arin.net]
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE)
These addresses have been further assigned to European users.
Contact info can be found in the RIPE database, via the
WHOIS and TELNET servers at whois.ripe.net, and at
http://www.ripe.net/perl/whois/
NL
Netname: RIPE-CBLK
Netblock: 193.0.0.0 - 193.255.255.255
Maintainer: RIPE
Coordinator:
Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) nicdb () RIPE NET
+31 20 535 4444
Domain System inverse mapping provided by:
NS.RIPE.NET 193.0.0.193
NS.EU.NET 192.16.202.11
AUTH03.NS.UU.NET 198.6.1.83
NS2.NIC.FR 192.93.0.4
SUNIC.SUNET.SE 192.36.125.2
MUNNARI.OZ.AU 128.250.1.21
NS.APNIC.NET 203.37.255.97
To search on arbitrary strings, see the Database page on
the RIPE NCC website at http://www.ripe.net/perl/whois/
Record last updated on 16-Oct-1998.
Database last updated on 14-Jan-2002 02:32:30 EDT.
[whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 193.148.15.0 - 193.148.15.255
netname: AMS-IX1
descr: Amsterdam Internet Exchange (AMS-IX)
country: NL
admin-c: AMSX-RIPE
tech-c: AMSX-RIPE
status: ASSIGNED PI
remarks: For more info on AMSIX see: http://www.ams-ix.net/
notify: noc () ams-ix net
mnt-by: RIPE-NCC-NONE-MNT
changed: Erik-Jan.Bos () surfnet nl 19990113
changed: Henk.Steenman () ams-ix net 20020104
changed: Steven.Bakker () ams-ix net 20020109
source: RIPE
route: 193.148.15.0/24
descr: AMS-IX1
origin: AS1200
remarks: ias-int: 193.148.15.33 AS6461
remarks: ias-int: 193.148.15.34 AS1103
remarks: ias-int: 193.148.15.35 AS12859
remarks: ias-int: 193.148.15.36 AS13197
remarks: ias-int: 193.148.15.37 AS2686
remarks: ias-int: 193.148.15.38 AS5496
remarks: ias-int: 193.148.15.39 AS13142
remarks: ias-int: 193.148.15.41 AS12315
remarks: ias-int: 193.148.15.42 AS5623
remarks: ias-int: 193.148.15.43 AS2611
remarks: ias-int: 193.148.15.44 AS3300
remarks: ias-int: 193.148.15.45 AS1136
remarks: ias-int: 193.148.15.46 AS1299
remarks: ias-int: 193.148.15.47 AS13127
remarks: ias-int: 193.148.15.48 AS3265
remarks: ias-int: 193.148.15.49 AS1140
remarks: ias-int: 193.148.15.50 AS1103
remarks: ias-int: 193.148.15.52 AS8251
remarks: ias-int: 193.148.15.53 AS8209
remarks: ias-int: 193.148.15.55 AS8215
remarks: ias-int: 193.148.15.56 AS5399
remarks: ias-int: 193.148.15.57 AS8582
remarks: ias-int: 193.148.15.59 AS5511
remarks: ias-int: 193.148.15.61 AS9013
remarks: ias-int: 193.148.15.62 AS8737
remarks: ias-int: 193.148.15.63 AS13127
remarks: ias-int: 193.148.15.64 AS12871
remarks: ias-int: 193.148.15.65 AS13076
remarks: ias-int: 193.148.15.66 AS3215
remarks: ias-int: 193.148.15.67 AS1755
remarks: ias-int: 193.148.15.68 AS3333
remarks: ias-int: 193.148.15.69 AS12654
remarks: ias-int: 193.148.15.70 AS5390
remarks: ias-int: 193.148.15.71 AS3333
remarks: ias-int: 193.148.15.72 AS5484
remarks: ias-int: 193.148.15.73 AS6705
remarks: ias-int: 193.148.15.74 AS8210
remarks: ias-int: 193.148.15.75 AS9109
remarks: ias-int: 193.148.15.77 AS702
remarks: ias-int: 193.148.15.78 AS5615
remarks: ias-int: 193.148.15.80 AS6745
remarks: ias-int: 193.148.15.81 AS5590
remarks: ias-int: 193.148.15.82 AS8483
remarks: ias-int: 193.148.15.83 AS5462
remarks: ias-int: 193.148.15.84 AS4000
remarks: ias-int: 193.148.15.85 AS3257
remarks: ias-int: 193.148.15.86 AS8355
remarks: ias-int: 193.148.15.87 AS6774
remarks: ias-int: 193.148.15.88 AS8873
remarks: ias-int: 193.148.15.91 AS6805
remarks: ias-int: 193.148.15.94 AS7176
remarks: ias-int: 193.148.15.95 AS5413
remarks: ias-int: 193.148.15.97 AS286
remarks: ias-int: 193.148.15.98 AS1890
remarks: ias-int: 193.148.15.99 AS5417
remarks: ias-int: 193.148.15.100 AS3303
remarks: ias-int: 193.148.15.101 AS8220
remarks: ias-int: 193.148.15.102 AS1273
remarks: ias-int: 193.148.15.103 AS9143
remarks: ias-int: 193.148.15.104 AS3292
remarks: ias-int: 193.148.15.105 AS8935
remarks: ias-int: 193.148.15.106 AS6830
remarks: ias-int: 193.148.15.108 AS5400
remarks: ias-int: 193.148.15.109 AS12394
remarks: ias-int: 193.148.15.110 AS9057
remarks: ias-int: 193.148.15.111 AS3320
remarks: ias-int: 193.148.15.112 AS6728
remarks: ias-int: 193.148.15.113 AS4513
remarks: ias-int: 193.148.15.114 AS1890
remarks: ias-int: 193.148.15.116 AS6730
remarks: ias-int: 193.148.15.117 AS13646
remarks: ias-int: 193.148.15.118 AS12573
remarks: ias-int: 193.148.15.119 AS8709
remarks: ias-int: 193.148.15.121 AS8297
remarks: ias-int: 193.148.15.122 AS6461
remarks: ias-int: 193.148.15.123 AS3209
remarks: ias-int: 193.148.15.124 AS12868
remarks: ias-int: 193.148.15.125 AS12945
remarks: ias-int: 193.148.15.126 AS5496
remarks: ias-int: 193.148.15.127 AS6667
remarks: ias-int: 193.148.15.128 AS12787
remarks: ias-int: 193.148.15.130 AS12634
remarks: ias-int: 193.148.15.131 AS5594
remarks: ias-int: 193.148.15.132 AS8586
remarks: ias-int: 193.148.15.133 AS12541
remarks: ias-int: 193.148.15.134 AS9133
remarks: ias-int: 193.148.15.135 AS5419
remarks: ias-int: 193.148.15.136 AS8938
remarks: ias-int: 193.148.15.137 AS12606
remarks: ias-int: 193.148.15.138 AS9200
remarks: ias-int: 193.148.15.139 AS9150
remarks: ias-int: 193.148.15.140 AS286
remarks: ias-int: 193.148.15.143 AS5669
remarks: ias-int: 193.148.15.144 AS1136
remarks: ias-int: 193.148.15.146 AS2647
remarks: ias-int: 193.148.15.147 AS15509
remarks: ias-int: 193.148.15.148 AS6553
remarks: ias-int: 193.148.15.149 AS15435
remarks: ias-int: 193.148.15.150 AS13300
remarks: ias-int: 193.148.15.153 AS5400
remarks: ias-int: 193.148.15.154 AS4697
remarks: ias-int: 193.148.15.155 AS5597
remarks: ias-int: 193.148.15.156 AS15538
remarks: ias-int: 193.148.15.157 AS15670
remarks: ias-int: 193.148.15.158 AS9193
remarks: ias-int: 193.148.15.160 AS8914
remarks: ias-int: 193.148.15.161 AS3561
remarks: ias-int: 193.148.15.163 AS15703
remarks: ias-int: 193.148.15.164 AS15441
remarks: ias-int: 193.148.15.165 AS12414
remarks: ias-int: 193.148.15.166 AS3265
remarks: ias-int: 193.148.15.167 AS15879
remarks: ias-int: 193.148.15.168 AS12222
remarks: ias-int: 193.148.15.169 AS2818
remarks: ias-int: 193.148.15.170 AS19376
remarks: ias-int: 193.148.15.175 AS8954
remarks: ias-int: 193.148.15.180 AS12838
remarks: ias-int: 193.148.15.181 AS9143
remarks: ias-int: 193.148.15.182 AS1755
remarks: ias-int: 193.148.15.183 AS16298
remarks: ias-int: 193.148.15.184 AS5590
remarks: ias-int: 193.148.15.185 AS20481
remarks: ias-int: 193.148.15.186 AS20504
remarks: ias-int: 193.148.15.187 AS12868
remarks: ias-int: 193.148.15.188 AS8918
remarks: ias-int: 193.148.15.189 AS20562
remarks: ias-int: 193.148.15.191 AS2686
remarks: ias-int: 193.148.15.193 AS7176
remarks: ias-int: 193.148.15.194 AS2686
remarks: ias-int: 193.148.15.195 AS20639
remarks: ias-int: 193.148.15.196 AS6762
remarks: ias-int: 193.148.15.197 AS9057
remarks: ias-int: 193.148.15.198 AS19440
remarks: ias-int: 193.148.15.199 AS20735
remarks: ias-int: 193.148.15.200 AS12859
remarks: ias-int: 193.148.15.201 AS12394
remarks: ias-int: 193.148.15.202 AS20854
remarks: ias-int: 193.148.15.203 AS20953
remarks: ias-int: 193.148.15.204 AS20507
remarks: ias-int: 193.148.15.205 AS20786
remarks: ias-int: 193.148.15.206 AS3333
remarks: ias-int: 193.148.15.207 AS12832
remarks: ias-int: 193.148.15.208 AS12956
remarks: ias-int: 193.148.15.209 AS9132
remarks: ias-int: 193.148.15.210 AS3257
remarks: ias-int: 193.148.15.211 AS10140
remarks: ias-int: 193.148.15.212 AS13237
remarks: ias-int: 193.148.15.213 AS16298
remarks: ias-int: 193.148.15.214 AS21155
remarks: ias-int: 193.148.15.215 AS6774
remarks: ias-int: 193.148.15.216 AS21478
notify: netmaster () surfnet nl
mnt-by: AS1103-MNT
mnt-by: AMS-IX-MNT
changed: Niels.denOtter () surfnet nl 20011112
changed: Steven.Bakker () ams-ix net 20020110
changed: Steven.Bakker () ams-ix net 20020110
source: RIPE
role: AMS-IX NOC
address: Amsterdam Internet Exchange BV
address: Westeinde 12
address: NL - 1017 ZN Amsterdam
address: The Netherlands
phone: +31 20 514 1717
fax-no: +31 20 305 8990
e-mail: noc () ams-ix net
mnt-by: AMS-IX-MNT
admin-c: HST-RIPE
tech-c: SB-RIPE
tech-c: HST-RIPE
tech-c: RZ27-RIPE
tech-c: AV7007-RIPE
nic-hdl: AMSX-RIPE
notify: noc () ams-ix net
changed: Steven.Bakker () ams-ix net 20020104
changed: Steven.Bakker () ams-ix net 20020110
source: RIPE
aut-num: AS12787
as-name: MII-2
descr: MII-2 Europe/AsiaPac AS-12787
descr: Mirror Image Internet Europe/AsiaPac
import: from AS-ANY accept ANY
export: to AS-ANY announce AS12787
admin-c: ML8721
admin-c: DF1108
admin-c: JD1919
admin-c: LF1117
tech-c: JD1919
tech-c: LF1117
changed: lfinn () mirror-image com 20010813
remarks: ----------------------------------------------------
remarks: Peering requests can be sent to peering () mirror-image com
remarks: Abuse reports can be sent to abuse () mirror-image com
remarks: ----------------------------------------------------
mnt-by: AS12787-MNT
changed: lfinn () mirror-image com 20010813
source: RIPE
-------------------------------------------------------------------------------
194.205.125.26
[whois.arin.net]
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C2)
These addresses have been further assigned to European users.
Contact info can be found in the RIPE database, via the
WHOIS and TELNET servers at whois.ripe.net, and at
http://www.ripe.net/perl/whois/
NL
Netname: RIPE-CBLK2
Netblock: 194.0.0.0 - 194.255.255.255
Maintainer: RIPE
Coordinator:
Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) nicdb () RIPE NET
+31 20 535 4444
Domain System inverse mapping provided by:
NS.RIPE.NET 193.0.0.193
NS.EU.NET 192.16.202.11
AUTH03.NS.UU.NET 198.6.1.83
NS2.NIC.FR 192.93.0.4
SUNIC.SUNET.SE 192.36.125.2
MUNNARI.OZ.AU 128.250.1.21
NS.APNIC.NET 203.37.255.97
To search on arbitrary strings, see the Database page on
the RIPE NCC website at http://www.ripe.net/perl/whois/
Record last updated on 16-Oct-1998.
Database last updated on 14-Jan-2002 02:32:30 EDT.
[whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 194.205.125.24 - 194.205.125.27
netname: MIRRORIMAGE22
descr: reserved for mirror image
country: GB
admin-c: BR5371-RIPE
tech-c: IH22-ORG
rev-srv: ns0.insnet.net
rev-srv: ns1.insnet.net
status: ASSIGNED PA
mnt-by: AS5378-MNT
changed: garethe () insnet net 20010206
source: RIPE
route: 194.205.0.0/16
descr: INSNET-194.205/16
descr: ALLOCATED PA Space do not break up
origin: AS5378
mnt-by: AS5378-MNT
changed: rpa () insnet net 19960412
source: RIPE
role: Internet Network Services Technical Department
address: Cable and Wireless INS UK IP GSOC
address: 1st Floor, Pinnacle House
address: Wimbledon
address: London, SW19 3SE
address: GB
phone: +44 20 8239 5000
fax-no: +44 20 8239 5001
e-mail: support () insnet net
trouble: ------------------------------------------------
trouble: Please do NOT e-mail abuse to the contacts given
trouble: here, e-mail them to abuse () insnet net instead.
trouble: ------------------------------------------------
trouble: Network Status Page: http://www1.insnet.net/
trouble: Information: http://www.cw.com/
trouble: ------------------------------------------------
trouble: ** Contact by E-Mail ONLY. ***
trouble: ------------------------------------------------
admin-c: TH8953-RIPE
tech-c: RW1210-RIPE
tech-c: IT1095-RIPE
tech-c: JO2565-RIPE
nic-hdl: IH22-ORG
notify: hm-dbm-msgs () ripe net
notify: reliability () cwci net
mnt-by: AS5378-MNT
changed: robertwo () insnet net 20010823
source: RIPE
person: Ben Revil
address: London
phone: +442089440282
fax-no: +44
e-mail: ben () mirror-image com
nic-hdl: BR5371-RIPE
mnt-by: AS5378-MNT
changed: garethe () insnet net 20010206
source: RIPE
-------------------------------------------------------------------------------
194.213.64.150
[whois.arin.net]
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C2)
These addresses have been further assigned to European users.
Contact info can be found in the RIPE database, via the
WHOIS and TELNET servers at whois.ripe.net, and at
http://www.ripe.net/perl/whois/
NL
Netname: RIPE-CBLK2
Netblock: 194.0.0.0 - 194.255.255.255
Maintainer: RIPE
Coordinator:
Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) nicdb () RIPE NET
+31 20 535 4444
Domain System inverse mapping provided by:
NS.RIPE.NET 193.0.0.193
NS.EU.NET 192.16.202.11
AUTH03.NS.UU.NET 198.6.1.83
NS2.NIC.FR 192.93.0.4
SUNIC.SUNET.SE 192.36.125.2
MUNNARI.OZ.AU 128.250.1.21
NS.APNIC.NET 203.37.255.97
To search on arbitrary strings, see the Database page on
the RIPE NCC website at http://www.ripe.net/perl/whois/
Record last updated on 16-Oct-1998.
Database last updated on 14-Jan-2002 02:32:30 EDT.
[whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 194.213.64.0 - 194.213.64.255
netname: SE-TELENORDIA
descr: Telenordia AB
country: SE
admin-c: TH1428-RIPE
tech-c: TI116-RIPE
rev-srv: ns.algonet.se
rev-srv: dns.telenordia.se
status: ASSIGNED PA
notify: hostmaster () telenordia se
mnt-by: AS5556-MNT
changed: ripe () telenordia se 20000911
source: RIPE
route: 194.213.64.0/19
descr: Telenordia AB
origin: AS5556
mnt-by: AS5556-MNT
changed: hostmaster () telenorda se 19990901
source: RIPE
role: Telenordia Hostmaster
address: Telenordia AB
address: Box 6681
address: 11384 STOCKHOLM
address: SWEDEN
phone: +46 8 58787000
fax-no: +46 8 58787006
e-mail: hostmaster () telenordia se
e-mail: se-hostmaster () ignite com
admin-c: MB4974-RIPE
tech-c: CA17-RIPE
nic-hdl: TH1428-RIPE
notify: inoc () telenordia se
mnt-by: AS5556-MNT
changed: inoc () telenordia se 20010926
source: RIPE
role: Telenordia INOC
address: Telenordia AB
address: Box 6681
address: 11384 STOCKHOLM
address: SWEDEN
phone: +46 8 58787000
fax-no: +46 8 58787006
e-mail: inoc () telenordia se
e-mail: se-inoc () ignite com
admin-c: MN1262-RIPE
tech-c: MB4974-RIPE
nic-hdl: TI116-RIPE
notify: inoc () telenordia se
notify: se-inoc () ignite com
mnt-by: AS5556-MNT
changed: inoc () telenordia se 20010926
source: RIPE
-------------------------------------------------------------------------------
202.139.133.129
[whois.arin.net]
Asia Pacific Network Information Center (APNIC2)
These addresses have been further assigned to Asia-Pacific users.
Contact info can be found in the APNIC database,
at WHOIS.APNIC.NET or http://www.apnic.net/
Please do not send spam complaints to APNIC.
AU
Netname: APNIC-CIDR-BLK
Netblock: 202.0.0.0 - 203.255.255.255
Maintainer: AP
Coordinator:
Administrator, System (SA90-ARIN) [No mailbox]
+61-7-3367-0490
Domain System inverse mapping provided by:
SVC00.APNIC.NET 202.12.28.131
NS.APNIC.NET 203.37.255.97
NS.TELSTRA.NET 203.50.0.137
NS.RIPE.NET 193.0.0.193
Regional Internet Registry for the Asia-Pacific Region.
*** Use whois -h whois.apnic.net [object] ***
*** or see http://www.apnic.net/db/ for database assistance ***
Record last updated on 18-Jun-1999.
Database last updated on 14-Jan-2002 02:32:30 EDT.
[whois.apnic.net]
% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois6.apnic.net)
inetnum: 202.139.133.0 - 202.139.133.255
netname: OPTUSCOM
descr: CWO Infrastructure Network
descr: subnetted /30 Links Bundled
country: AU
admin-c: OA3-AP
tech-c: OA3-AP
mnt-by: MAINT-OPTUSCOM-AP
changed: ipadmin () cwo net au 20001228
source: APNIC
role: OPTUS IP ADMINISTRATORS
address: 101 Miller Street North Sydney
country: AU
phone: +61-2-93427681
phone: +61-2-93420848
phone: +61-2-93420983
phone: +61-2-93420813
phone: +61-2-93420717
fax-no: +61-2-9342-0998
fax-no: +61-2-9342-6122
e-mail: ipadmin () optus net au
trouble: send spam/abuse reports to abuse () optus net au
trouble: please use http://www.apnic.net/db/spam.html
trouble: to identify networks before sending reports and
trouble: always include full headers/logs.
admin-c: NC8-AP
tech-c: NC8-AP
tech-c: AH170-AP
tech-c: CB39-AP
nic-hdl: OA3-AP
notify: hostmaster () optus net au
mnt-by: MAINT-OPTUSCOM-AP
changed: ipadmin () cwo net au 20011129
source: APNIC
-------------------------------------------------------------------------------
203.194.166.182
[whois.arin.net]
Asia Pacific Network Information Center (APNIC2)
These addresses have been further assigned to Asia-Pacific users.
Contact info can be found in the APNIC database,
at WHOIS.APNIC.NET or http://www.apnic.net/
Please do not send spam complaints to APNIC.
AU
Netname: APNIC-CIDR-BLK
Netblock: 202.0.0.0 - 203.255.255.255
Maintainer: AP
Coordinator:
Administrator, System (SA90-ARIN) [No mailbox]
+61-7-3367-0490
Domain System inverse mapping provided by:
SVC00.APNIC.NET 202.12.28.131
NS.APNIC.NET 203.37.255.97
NS.TELSTRA.NET 203.50.0.137
NS.RIPE.NET 193.0.0.193
Regional Internet Registry for the Asia-Pacific Region.
*** Use whois -h whois.apnic.net [object] ***
*** or see http://www.apnic.net/db/ for database assistance ***
Record last updated on 18-Jun-1999.
Database last updated on 14-Jan-2002 02:32:30 EDT.
[WHOIS.APNIC.NET]
% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois6.apnic.net)
inetnum: 203.194.128.0 - 203.194.191.255
netname: IADVANTAGE
descr: iAdvantage Ltd.
country: HK
admin-c: ATWY1-AP
tech-c: BL26-AP
tech-c: HM55-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-IS
changed: hostmaster () apnic net 20010607
source: APNIC
person: Alex Tam Wing Yiu
address: iAdvantage Ltd.
address: 36/F Standard Chartered Tower II
address: Millennium City, 388 Kwun Tong Road
address: Kwun Tong, Hong Kong
country: HK
phone: +852-22088328
fax-no: +852-22672237
e-mail: alextam () netvigator com
nic-hdl: ATWY1-AP
mnt-by: MAINT-NULL
changed: hostmaster () apnic net 19991116
source: APNIC
person: Ben Li
address: 36/F, Standard Chartered Tower
address: Millennium City, 388 Kwun Tong Road
address: Kwun Tong, Hong Kong
country: HK
phone: +852-22088320
fax-no: +852-22672237
e-mail: benli () hutchcity com
nic-hdl: BL26-AP
mnt-by: MAINT-HK-IS
changed: benli () hutchcity com 19991116
source: APNIC
person: iAdvantage hostmaster
address: iAdvantage Limited
address: 36/F, Standard Chartered Tower,
address: Millennium City, 388 Kwun Tong Road
country: HK
phone: +852-22088338
fax-no: +852-22672237
e-mail: hostmaster () iadvantage net hk
nic-hdl: HM55-AP
mnt-by: MAINT-HK-IS
changed: rayfung () iadvantage net hk 20000121
source: APNIC
-------------------------------------------------------------------------------
203.81.45.254
[whois.arin.net]
Asia Pacific Network Information Center (APNIC2)
These addresses have been further assigned to Asia-Pacific users.
Contact info can be found in the APNIC database,
at WHOIS.APNIC.NET or http://www.apnic.net/
Please do not send spam complaints to APNIC.
AU
Netname: APNIC-CIDR-BLK
Netblock: 202.0.0.0 - 203.255.255.255
Maintainer: AP
Coordinator:
Administrator, System (SA90-ARIN) [No mailbox]
+61-7-3367-0490
Domain System inverse mapping provided by:
SVC00.APNIC.NET 202.12.28.131
NS.APNIC.NET 203.37.255.97
NS.TELSTRA.NET 203.50.0.137
NS.RIPE.NET 193.0.0.193
Regional Internet Registry for the Asia-Pacific Region.
*** Use whois -h whois.apnic.net [object] ***
*** or see http://www.apnic.net/db/ for database assistance ***
Record last updated on 18-Jun-1999.
Database last updated on 14-Jan-2002 02:32:30 EDT.
[WHOIS.APNIC.NET]
% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois7.apnic.net)
inetnum: 203.81.32.0 - 203.81.47.255
netname: PI-SG-IDC
descr: Pacific Internet Limited
descr: 89 Science Park Drive
descr: #04-09 Singapore 118261
country: SG
admin-c: WH1-AP
tech-c: WH1-AP
mnt-by: APNIC-HM
mnt-lower: PIL-NOC-AP
changed: hostmaster () apnic net 20010201
source: APNIC
person: Wong Kok Hoou
address: Pacific Internet Pte Ltd
address: 89 Science Park Drive
address: #04-09/12, The Rutherford
address: Singapore 118261
phone: +65-771-0880
fax-no: +65-773-6812
e-mail: hoou () pacific net sg
nic-hdl: WH1-AP
mnt-by: PIPL-NOC-AP
changed: operations () pacific net sg 19991014
source: APNIC
-------------------------------------------------------------------------------
216.220.39.42
[whois.arin.net]
Q9 Networks Inc. (NET-Q9-NET1)
100 Wellington Street West Suite 900
Toronto, ON M5K 1J3
CA
Netname: Q9-NET1
Netblock: 216.220.32.0 - 216.220.63.255
Maintainer: Q9NT
Coordinator:
Q9 Networks Inc. (ZQ8-ARIN) IPadmin () Q9 com
+1 416 362 7000
Domain System inverse mapping provided by:
NS1-AUTH.Q9.COM 216.220.35.20
NS2-AUTH.Q9.COM 216.220.36.20
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Reassignment information for this block can be found at rwhois.q9.net port 4321
Record last updated on 09-Jan-2002.
Database last updated on 14-Jan-2002 02:32:30 EDT.
Connection timed out connecting to rwhois.q9.net
-------------------------------------------------------------------------------
216.33.35.214
[whois.arin.net]
Exodus Commnications Inc. (NETBLK-ECI-7)
1605 Wyatt Dr. Santa Clara, CA
95054US
US
Netname: ECI-7
Netblock: 216.32.0.0 - 216.35.255.255
Maintainer: ECI
Coordinator:
Center, Network Control (NOC44-ARIN) CompServ () Exodus net
(888) 239-6387 (FAX) (888) 239-6387
Domain System inverse mapping provided by:
DNS01.EXODUS.NET 209.1.222.244
DNS02.EXODUS.NET 209.1.222.245
DNS03.EXODUS.NET 209.1.222.246
DNS04.EXODUS.NET 209.1.222.247
* Rwhois reassignment information for this block is available at:
* rwhois.exodus.net 4321
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Record last updated on 09-Mar-2000.
Database last updated on 14-Jan-2002 02:32:30 EDT.
-------------------------------------------------------------------------------
216.34.68.2
[whois.arin.net]
Exodus Commnications Inc. (NETBLK-ECI-7)
1605 Wyatt Dr. Santa Clara, CA
95054US
US
Netname: ECI-7
Netblock: 216.32.0.0 - 216.35.255.255
Maintainer: ECI
Coordinator:
Center, Network Control (NOC44-ARIN) CompServ () Exodus net
(888) 239-6387 (FAX) (888) 239-6387
Domain System inverse mapping provided by:
DNS01.EXODUS.NET 209.1.222.244
DNS02.EXODUS.NET 209.1.222.245
DNS03.EXODUS.NET 209.1.222.246
DNS04.EXODUS.NET 209.1.222.247
* Rwhois reassignment information for this block is available at:
* rwhois.exodus.net 4321
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Record last updated on 09-Mar-2000.
Database last updated on 14-Jan-2002 02:32:30 EDT.
-------------------------------------------------------------------------------
216.35.167.58
[whois.arin.net]
Exodus Commnications Inc. (NETBLK-ECI-7)
1605 Wyatt Dr. Santa Clara, CA
95054US
US
Netname: ECI-7
Netblock: 216.32.0.0 - 216.35.255.255
Maintainer: ECI
Coordinator:
Center, Network Control (NOC44-ARIN) CompServ () Exodus net
(888) 239-6387 (FAX) (888) 239-6387
Domain System inverse mapping provided by:
DNS01.EXODUS.NET 209.1.222.244
DNS02.EXODUS.NET 209.1.222.245
DNS03.EXODUS.NET 209.1.222.246
DNS04.EXODUS.NET 209.1.222.247
* Rwhois reassignment information for this block is available at:
* rwhois.exodus.net 4321
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Record last updated on 09-Mar-2000.
Database last updated on 14-Jan-2002 02:32:30 EDT.
-------------------------------------------------------------------------------
62.23.80.2
[whois.arin.net]
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C3)
These addresses have been further assigned to European users.
Contact info can be found in the RIPE database, via the
WHOIS and TELNET servers at whois.ripe.net, and at
http://www.ripe.net/perl/whois/
NL
Netname: RIPE-C3
Netblock: 62.0.0.0 - 62.255.255.255
Maintainer: RIPE
Coordinator:
Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) nicdb () RIPE NET
+31 20 535 4444
Domain System inverse mapping provided by:
NS.RIPE.NET 193.0.0.193
NS.EU.NET 192.16.202.11
AUTH03.NS.UU.NET 198.6.1.83
NS2.NIC.FR 192.93.0.4
SUNIC.SUNET.SE 192.36.125.2
MUNNARI.OZ.AU 128.250.1.21
NS.APNIC.NET 203.37.255.97
To search on arbitrary strings, see the Database page on
the RIPE NCC website at http://www.ripe.net/perl/whois/
Record last updated on 16-Oct-1998.
Database last updated on 14-Jan-2002 02:32:30 EDT.
-------------------------------------------------------------------------------
62.26.119.34
[whois.arin.net]
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C3)
These addresses have been further assigned to European users.
Contact info can be found in the RIPE database, via the
WHOIS and TELNET servers at whois.ripe.net, and at
http://www.ripe.net/perl/whois/
NL
Netname: RIPE-C3
Netblock: 62.0.0.0 - 62.255.255.255
Maintainer: RIPE
Coordinator:
Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) nicdb () RIPE NET
+31 20 535 4444
Domain System inverse mapping provided by:
NS.RIPE.NET 193.0.0.193
NS.EU.NET 192.16.202.11
AUTH03.NS.UU.NET 198.6.1.83
NS2.NIC.FR 192.93.0.4
SUNIC.SUNET.SE 192.36.125.2
MUNNARI.OZ.AU 128.250.1.21
NS.APNIC.NET 203.37.255.97
To search on arbitrary strings, see the Database page on
the RIPE NCC website at http://www.ripe.net/perl/whois/
Record last updated on 16-Oct-1998.
Database last updated on 14-Jan-2002 02:32:30 EDT.
-------------------------------------------------------------------------------
64.14.200.154
[whois.arin.net]
Exodus Communications Inc. (NETBLK-ECI-64)
2831 Mission College blvd.
Santa Clara, CA 95054
US
Netname: ECI-64
Netblock: 64.14.0.0 - 64.14.255.255
Maintainer: ECI
Coordinator:
Center, Network Control (NOC44-ARIN) CompServ () Exodus net
(888) 239-6387 (FAX) (888) 239-6387
Domain System inverse mapping provided by:
DNS01.EXODUS.NET 209.1.222.244
DNS02.EXODUS.NET 209.1.222.245
DNS03.EXODUS.NET 209.1.222.246
DNS04.EXODUS.NET 209.1.222.247
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
* Rwhois reassignment information for this block is available at:
* rwhois.exodus.net 4321
Record last updated on 12-Dec-2000.
Database last updated on 14-Jan-2002 02:32:30 EDT.
-------------------------------------------------------------------------------
64.37.200.46
[whois.arin.net]
Exodus Communications Inc. Oakbrook (NETBLK-EC09-1)
2831 Mission College Blvd.
Santa Clara, CA 95112
US
Netname: EC09-1
Netblock: 64.37.192.0 - 64.37.255.255
Maintainer: EC09
Coordinator:
Center, Network Control (NOC44-ARIN) CompServ () Exodus net
(888) 239-6387 (FAX) (888) 239-6387
Domain System inverse mapping provided by:
DNS01.EXODUS.NET 209.1.222.244
DNS02.EXODUS.NET 209.1.222.245
DNS03.EXODUS.NET 209.1.222.246
DNS04.EXODUS.NET 209.1.222.247
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
* Rwhois reassignment information for this block is available at:
* rwhois.exodus.net 4321
Record last updated on 14-Sep-2000.
Database last updated on 14-Jan-2002 02:32:30 EDT.
-------------------------------------------------------------------------------
64.56.174.186
[whois.arin.net]
Exodus Communications Inc. Tokyo (JP1) (NETBLK-EC36-1)
2831 Mission College Blvd.
Santa Clara, CA 95112
US
Netname: EC36-1
Netblock: 64.56.160.0 - 64.56.191.255
Maintainer: EC36
Coordinator:
Center, Network Control (NOC44-ARIN) CompServ () Exodus net
(888) 239-6387 (FAX) (888) 239-6387
Domain System inverse mapping provided by:
DNS01.EXODUS.NET 209.1.222.244
DNS02.EXODUS.NET 209.1.222.245
DNS03.EXODUS.NET 209.1.222.246
DNS04.EXODUS.NET 209.1.222.247
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
* Rwhois reassignment information for this block is available at:
* rwhois.exodus.net 4321
Record last updated on 16-Oct-2000.
Database last updated on 14-Jan-2002 02:32:30 EDT.
-------------------------------------------------------------------------------
64.78.235.14
[whois.arin.net]
Verado, Inc. (Denver DC) (NET-VERADO-DENVERDC2)
8390 E Crescent Parkway, Suite 300
Greenwood Village, CO 80111
US
Netname: VERADO-DENVERDC2
Netblock: 64.78.224.0 - 64.78.239.255
Maintainer: VRDN
Coordinator:
Verado, Inc. (IV35-ARIN) ARIN-POC () Verado com
303-874-8010
Domain System inverse mapping provided by:
NS1.FWIDCSERVICES.NET 64.78.224.58
NS2.FWIDCSERVICES.NET 216.23.160.51
Record last updated on 16-May-2001.
Database last updated on 14-Jan-2002 02:32:30 EDT.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New DNS connection with SYN ACK Jerry Perser (Jan 11)
- Re: New DNS connection with SYN ACK Richard Arends (Jan 11)
- Re: New DNS connection with SYN ACK Nick Drage (Jan 14)
- Re: New DNS connection with SYN ACK Patrick Benson (Jan 14)
- Re: New DNS connection with SYN ACK Nick Drage (Jan 14)
- RE: New DNS connection with SYN ACK Dan Hawrylkiw (Jan 14)
- RE: New DNS connection with SYN ACK Jason Dixon (Jan 14)
- Re: New DNS connection with SYN ACK John Hall (Jan 15)
- Unusual DNS requests (not related to previous DNS thread) measl (Jan 15)
- Re: Unusual DNS requests (not related to previous DNS thread) Ryan Russell (Jan 15)
- Re: Unusual DNS requests (not related to previous DNS thread) measl (Jan 17)
- Re: Unusual DNS requests (not related to previous DNS thread) Greg A. Woods (Jan 18)
- RE: New DNS connection with SYN ACK Jason Dixon (Jan 14)
- Re: Unusual DNS requests (not related to previous DNS thread) Greg A. Woods (Jan 15)
- Re: New DNS connection with SYN ACK Richard Arends (Jan 11)
- <Possible follow-ups>
- RE: New DNS connection with SYN ACK Cloppert, Michael (Jan 14)
- Re: New DNS connection with SYN ACK RainbowHat (Jan 15)
- RE: New DNS connection with SYN ACK Keith T. Morgan (Jan 14)