Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Justin Shore (macdaddyNEO.PITTSTATE.EDU)
Date: Tue Mar 06 2001 - 12:31:56 CST
On 3/6/01 5:18 AM Ralf G. R. Bergs said...
>On Sat, 3 Mar 2001 15:07:43 -0600, Blake Frantz wrote:
>>A UU.net *router* was
>>trying to communicate with one of our core routers via TCP on a wide range
>>of arbitraty ports. When asked, UU.net responded with "The type of
>>internet traffic you describe appears to be of normal origin." and
>>referred me to RFC 792 (ICMP) - I almost fell off my chair. None the
>This is the same thing they *always* do to me, and most scans I need to
>are RPC and FTP scans.
>>less, after we recieved their response the activity stopped. Purhaps this
>>is the same in your case, a first level abuse manager sends out a generic
>>email to passify wouldbe admins and escalates the incident. Just a
>*Sometimes* the activity stopped, but I had some cases where the activity
>on for days, so I had to black-hole that subnet. But that can't be an optimal
>solution, don't you agree? I can't start to blackhole everyone, because
>I hamper my users in their work... :-(
I've had to report probes to UUnet before. The best method I found was
to first send the standard email with all the neccessary info (logs,
description of the problem, etc...), wait 10 minutes, and then call them.
I reference the email I sent and say that the problem is continuous and
ask for a resolution. I usually have pretty good luck with that method.
Probes from UUnet are almost as common as spam from UUnet. :(
-- Justin Shore, ES Pittsburg State University Network & Systems Manager Kelce 157Q Office of Information Systems Pittsburg, KS 66762 Voice: (620) 235-4606 Fax: (620) 235-4545 http://www.pittstate.edu/ois/
Warning: This message has been quadruple Rot13'ed for your protection.