Fwd: Re: Dst. ports 33438, 33437 (64.95.255.255) [data393]

["Fergie (Paul Ferguson)" <fergdawg () netzero net>]

The following is some dialogue that I posted to the
DShield.org list last night, trying to figure out
why I was seeing these odd traceroute probes in my firewall
logs at home.

I post it here for two reasons:

[1] Does anyone have any experience with InterNAP's FCP-500
product? I was looking for some additional technical info beyond
what is on their web site. Contact me off-list, of course.

And,

[2] Just thought some of you might be interested. :-)

- ferg




---------- Forwarded Message ----------

Just as an FYI  follow-up to last night's e-mails
from me to on the list [subject line above], I received
this from InterNAP this morning. Though I'd share...

- feeg




---------- Forwarded Message ----------

We have received the following notice regarding trace route traffic
originating from our network, so I thought I would give respond to give
you a bit of piece of mind.  The packets you are seeing are actually a
very GOOD thing.  Our datacenter employs a technology which tunes BGP
routing tables for outbound traffic to provide the highest performing
route path.  On average, this shaves 35-40ms off the round-trip time for
network performance.  The device which performs these operations is
called an Internap FCP-500.  You can view more information at
http://www.internap.com/products/route-optimization.htm 

Chances are, your public IP address was part of communication with our
datacenter.  Since over 10,000 web sites are hosted in our center, it is
a very likely case that you accessed a web site, which then triggered
the performance platform to probe round-trip times via traditional trace
route and ping protocols.  Once you communicate with the datacenter for
the first time, the device will continue to probe the pathway for
performance data periodically, and adjust routes accordingly.

The end result is, a better performing experience since the packets take
the best performing pathway through the Internet from the datacenter to
the end user.

Regards,
Susan Cook

________________________________

Susan Cook | AUP Enforcement
[contact info elided]
 

-----Original Message-----
From: abuse () internap com [mailto:abuse () internap com] 
Posted At: Wednesday, August 10, 2005 9:46 PM
Posted To: Data393 Abuse
Conversation: [ABUSE] Re: [Dshield] Dst. ports 33438, 33437
(64.95.255.255) [data393]
Subject: [ABUSE] Re: [Dshield] Dst. ports 33438, 33437 (64.95.255.255)
[data393]

Internap has received an abuse complaint related to the possible
distribution of unsolicited e-mail (spam) or a possible security
violation
from you or one of your customers.  We are forwarding the complaint to
you
so that you may take appropriate measures to address the issue.

The purpose of this message is to inform you of a complaint we have
received as if you had received the complaint directly.  We have not
verified the accuracy of the complaint nor is this an accusation that
the
said incident has occurred.
         
Internap will not embark upon any punitive action regarding spam or
security complaints without explicitly and formally contacting you
regarding a clear, verified complaint, or a pattern of abuse.
        
Please refer to http://www.internap.com/about/policies.html for
general questions regarding Internap's stance on spam or abuse.  Please
direct any questions regarding this specific issue to
abuse () internap com.
        
         
---------- Forwarded message ----------
From: "Fergie (Paul Ferguson)" <<removed>@netzero.net>
Date: Thu, 11 Aug 2005 03:39:43 GMT
To: list () lists dshield org
Cc: abuse () internap com
Subject: Re: [Dshield] Dst. ports 33438, 33437

...and, now I see an adjacent port as well:

2005-08-10 21:21:48 -05:00      87744681        1       64.94.45.10
14484   67.64.90.x      33436   udp


64.94.45.10 --> fcp-2.chg.pnap.net

Hmmm.

OrgName: Internap Network Services
OrgID: PNAP
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

NetRange: 64.94.0.0 - 64.95.255.255
CIDR: 64.94.0.0/15
NetName: PNAP-05-2000
NetHandle: NET-64-94-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PNAP.NET
NameServer: NS2.PNAP.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-06-05
Updated: 2002-06-17

TechHandle: INO3-ARIN
TechName: InterNap Network Operations Center
TechPhone: +1-877-843-4662
TechEmail: noc () internap com

OrgAbuseHandle: IAC3-ARIN
OrgAbuseName: Internap Abuse Contact
OrgAbusePhone: +1-206-256-9500
OrgAbuseEmail: abuse () internap com

OrgTechHandle: INO3-ARIN
OrgTechName: InterNap Network Operations Center
OrgTechPhone: +1-877-843-4662
OrgTechEmail: noc () internap com

# ARIN WHOIS database, last updated 2005-08-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

 Tracing to: 64.94.45.10

 1  legacy26-0.default.csail.mit.edu (18.26.0.1) [AS3]  0 ms  0 ms  0 ms
 2  kalgan.trantor.csail.mit.edu (128.30.0.245) [AS40]  0 ms  0 ms  0 ms
 3  B24-RTR-2-CSAIL.MIT.EDU (18.4.7.1) [AS3]  90 ms  96 ms  2 ms
 4  EXTERNAL-RTR-2-BACKBONE.MIT.EDU (18.168.0.27) [AS3]  0 ms  0 ms  0
ms
 5  EXTERNAL-RTR-1-BACKBONE.MIT.EDU (18.168.0.18) [AS3]  1 ms  1 ms  1
ms
 6  ge-6-23.car2.Boston1.Level3.net (4.79.2.1) [AS3356]  1 ms  1 ms  1
ms
 7  ae-1-51.mp1.Boston1.Level3.net (4.68.100.1) [AS3356]  1 ms  1 ms  1
ms
 8  so-3-1-0.bbr1.Chicago1.Level3.net (64.159.4.178) [AS3356]  21 ms
ae-0-0.bbr2.Chicago1.Level3.net (64.159.1.34) [AS3356]  21 ms
so-3-1-0.bbr1.Chicago1.Level3.net (64.159.4.178) [AS3356]  21 ms
 9  ge-7-0.ipcolo1.Chicago1.Level3.net (4.68.101.42) [AS3356]  21 ms
ge-7-1.ipcolo1.Chicago1.Level3.net (4.68.101.106) [AS3356]  21 ms
ge-9-1.ipcolo1.Chicago1.Level3.net (4.68.101.74) [AS3356]  21 ms
10  unknown.Level3.net (209.247.34.166) [AS3356]  21 ms  21 ms  21 ms
11  border6.ge4-1-bbnet2.chg.pnap.net (64.94.32.75) [AS19024]  51 ms  21
ms  21 ms
12  fcp1.chg.pnap.net (64.94.45.96) [AS19024]  21 ms  21 ms  21 ms
13  * * *
14  * * *

What's up with that? Very, very odd...

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/

-- "Fergie (Paul Ferguson)" <fergdawg () netzero net> wrote:
..and a traceroute form MIT:

 Tracing to: 208.42.224.238

 1  legacy26-0.default.csail.mit.edu (18.26.0.1) [AS3]  0 ms  0 ms  0 ms
 2  kalgan.trantor.csail.mit.edu (128.30.0.245) [AS40]  0 ms  0 ms  0 ms
 3  B24-RTR-2-CSAIL.MIT.EDU (18.4.7.1) [AS3]  0 ms  9 ms  1 ms
 4  EXTERNAL-RTR-2-BACKBONE.MIT.EDU (18.168.0.27) [AS3]  68 ms  108 ms
9 ms
 5  EXTERNAL-RTR-1-BACKBONE.MIT.EDU (18.168.0.18) [AS3]  1 ms  1 ms  1
ms
 6  ge-6-23.car2.Boston1.Level3.net (4.79.2.1) [AS3356]  1 ms  1 ms  1
ms
 7  ae-1-53.mp1.Boston1.Level3.net (4.68.100.65) [AS3356]  1 ms  1 ms  1
ms
 8  as-0-0.bbr2.Denver1.Level3.net (64.159.4.226) [AS3356]  43 ms
ae-0-0.bbr1.Denver1.Level3.net (64.159.1.113) [AS3356]  43 ms
as-0-0.bbr2.Denver1.Level3.net (64.159.4.226) [AS3356]  43 ms
 9  so-6-0.hsa1.Denver1.Level3.net (4.68.112.154) [AS3356]  44 ms  43 ms
4.68.113.54 (4.68.113.54) [AS3356]  43 ms
10  4.79.80.14 (4.79.80.14) [AS3356]  44 ms  44 ms  44 ms
11  core-b.v33.ge-4-5.Level3.edge3.data393.net (208.42.224.117)
[AS29863]  44 ms  44 ms  44 ms
* * *
* * *

- ferg



-- "Fergie (Paul Ferguson)" <fergdawg () netzero net> wrote:
WHOIS info leaves me with everything EXCEPT the warm and
fuzzies:


OrgName: Data393 Inc.
OrgID: DATA3
Address: 393 Inverness Parkway
City: Englewood
StateProv: CO
PostalCode: 80112-5855
Country: US

NetRange: 208.42.224.0 - 208.42.255.255
CIDR: 208.42.224.0/19
NetName: D393-DC-INVERNESS1
NetHandle: NET-208-42-224-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.DATA393.NET
NameServer: NS2.DATA393.NET
Comment:
RegDate: 2004-01-28
Updated: 2004-04-21

AbuseHandle: IPADM77-ARIN
AbuseName: IP Administration
AbusePhone: +1-303-268-1500
AbuseEmail: 

NOCHandle: IPADM77-ARIN
NOCName: IP Administration
NOCPhone: +1-303-268-1500
NOCEmail: ip-addr () data393 net

TechHandle: IPADM77-ARIN
TechName: IP Administration
TechPhone: +1-303-268-1500
TechEmail: ip-addr () data393 net

OrgTechHandle: IPADM77-ARIN
OrgTechName: IP Administration
OrgTechPhone: +1-303-268-1500
OrgTechEmail: ip-addr () data393 net

# ARIN WHOIS database, last updated 2005-08-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

- ferg


-- "Fergie (Paul Ferguson)" <fergdawg () netzero net> wrote:

I fired this e-mail off before I dug into it deeper...

Duh. Late night, beer, etc.

The reverse lookup on the source addres reveals:

208.42.224.238:
performance-check-via-SAVVIS.THIS-IS_HARMLESS-It_is_a_Traceroute_or_Ping
_packet.BGP-route-control.data393.net

Now, the next question is why they're picking my home SBC DSL
host address (which I NAT out of) for this excerise...

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/