On 3/6/01 5:18 AM Ralf G. R. Bergs said...

>On Sat, 3 Mar 2001 15:07:43 -0600, Blake Frantz wrote:
>
>>A UU.net *router* was
>>trying to communicate with one of our core routers via TCP on a wide range
>>of arbitraty ports. When asked, UU.net responded with "The type of
>>internet traffic you describe appears to be of normal origin." and
>>referred me to RFC 792 (ICMP) - I almost fell off my chair. None the
>
>This is the same thing they *always* do to me, and most scans I need to
>report
>are RPC and FTP scans.
>
>>less, after we recieved their response the activity stopped. Purhaps this
>>is the same in your case, a first level abuse manager sends out a generic
>>email to passify wouldbe admins and escalates the incident. Just a
>>thought.
>
>*Sometimes* the activity stopped, but I had some cases where the activity
>went
>on for days, so I had to black-hole that subnet. But that can't be an optimal
>solution, don't you agree? I can't start to blackhole everyone, because
>some day
>I hamper my users in their work... :-(

I've had to report probes to UUnet before. The best method I found was
to first send the standard email with all the neccessary info (logs,
description of the problem, etc...), wait 10 minutes, and then call them.
 I reference the email I sent and say that the problem is continuous and
ask for a resolution. I usually have pretty good luck with that method.
Probes from UUnet are almost as common as spam from UUnet. :(

Justin

--
Justin Shore, ES                Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/
Warning:  This message has been quadruple Rot13'ed for your protection.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]