RE: for folks tracking DDOS sources or reading the GRC attack log

["Mike Batchelor" <mikebat () tmcs net>]

>       24.0/8 is the "cable block".

No it's not.  Check out 24.132/14 for instance.

> ARIN normally allocates residential
> cable modem subnets out of this space.

No they don't.  Large parts of 24/8 are allocated to RIPE or APNIC.  ARIN
has no say in how those blocks are used.

>  Nearly all the cable operators
> have one slice or another from this block.

Perhaps this is true in the US.

>  Nearly all North American
> cable modems users have address space in this block.

No they don't.

>  Cable modems
> themselves are nearly always numbered in 10.0/8.

No they aren't.

>       For those who have read the GRC web site, note that 216.216.8.x
> appears not to be a cable modem slice in any event.

Let's see, hmmmm..... lots of Windows PCs, and ports 137-139 are universally
filtered across the whole /24.  Smells like cable to me.

>  ARIN reports
> that this slice has been allocated to @Work, which is the commercial
> IP lease-line business unit within Excite@Home.

That is correct.

>  Presence of a
> *.home.net DNS entry does not mean the system is on any cable modem
> network.

That is also correct.  Thank you Dr. Obvious.

> There are no 24.0/8 addresses listed in the log at
>       http://grc.com/dos/attacklog.htm
> so it isn't clear to me that any cable modems were used in that
> particular attack.

Not surprising, given your impressive slate of incorrect assumptions.

> Ran
> rja () inet org

Didja ever have a bad hair day, when you just felt like being contrary for
the hell of it?

>