[CTS] Re: Excessive Cable Modem Activity

• From: John McLaughlin <jemstone@xxxxxxxx>
• To: computertalkshop@xxxxxxxxxxxxx
• Date: Thu, 21 Nov 2002 20:31:09 -0700

 Donna, 

It seems that once again Wily Coyote has been had by the Road Runner.  I
would suggest contacting Acme explosives and placing the usual order. 

John McLaughlin 
Glendale, Arizona 

DBCfour@xxxxxxx wrote: A friend of mine sent this email account of a problem
he's been having for=20 
over almost 2 weeks now.  Can one of you guys give me some idea of what I=20

should suggest that they do given the information provided below? 

Thanks in advance, 

Donna 
****************************************************************************=
_
** 

**************** 
Here is the second reply I got from RR.  Below it is the message I sent 
them.  Can you figure out what additional info they want, and what can I get

them to do?.  They appear to me like they don't seem interested in helping. 
As I stated in the message even if this is not  a threat, this is affecting 
my bandwidth and I want it stopped.  Any ideas, comments?  thanks. 

----- Original Message ----- 
From: "Road Runner Security [KMH]" <abuse@xxxxxx> 
To: "Dace Hodgin" <hodgind@xxxxxxxxxxxx> 
Sent: Thursday, November 21, 2002 4:44 PM 
Subject: Re: Security 

Hello, 

Road Runner has received your e-mail, but is currently unable to process it 
further as it is missing some required information. Please read this reply 
to find out what information that we require in order to process your 
complaint. 

If you are reporting an Internet abuse issue, it is important that you 
include detailed time stamped logs in plain text format to us so that we 
may assist you.  Without it, we will be unable to substantiate "abuse" 
allegations, and will not be able to assist you. 

Your logs must contain the following information, in any order, for Road 
Runner to process them: 

Date of Incident, Time of Incident, Time Zone, Attacker IP, Your IP, local 
Port 

If the incident that was the basis of your complaint was neither instigated 
by an individual using the Road Runner system, nor in any way related to 
the Road Runner system or content maintained by Road Runner, then Road 
Runner is not the proper entity to contact because we are not in a position 
to take any action. 

If you wish to pursue this matter, you may want to contact the person 
responsible for the incident, or the Internet Service Provider through 
which the content was posted or on which it is maintained. A good place to 
begin in the instance of unwanted probes is 
http://samspade.org/t/refer.cgi?a=3D&f=3D8191#10[1] 

--On Tuesday, November 19, 2002 8:27 PM -0500 Dace Hodgin 
<hodgind@xxxxxxxxxxxx> wrote: 

> Since sending the initial email I have investigated the incident and 
> discovered the activity is on UDP port 1900 to IP address 239.255.255.250 
> which is related to Microsoft Simple Service Discovery Protocol. There 
> seems to be an issue with Denial of Service attacks 
> (http://www.eeye.com/html/Research/Advisories/AD20011220.html[2]).  I have

> checked for the patches from Microsoft and don't need them.   I have also 
> set up filter and firewall rules on my router to block this activity.  The

> problem is that I have noticed a negative impact in my bandwidth during 
> this time.  This activity has been continuous since 11-09-02.   The only 
> IP address that shows up on my activity logs is the 239.255.255.250 
> address.  I don't know where this activity is originating from, but is 
> not my LAN.  It may not be intentional but I would like this stopped. 
> I'm sorry I cannot provide you with more information. I am attaching an 
> example of one of the packets below. 
> 
> Packet #2, Direction: Pass-through, Time:20:16:40.970, Size: 319 
> Ethernet II 
>  Destination MAC: FF:FF:FF:FF:FF:FF 
>  Source MAC: 00:40:05:B5:BB:9B 
>  Ethertype: 0x0800 (2048) - IP 
> IP 
>  IP version: 0x04 (4) 
>  Header length: 0x05 (5) - 20 bytes 
>  Type of service: 0x00 (0) 
>   Precedence: 000 - Routine 
>   Delay: 0 - Normal delay 
>   Throughput: 0 - Normal throughput 
>   Reliability: 0 - Normal reliability 
>  Total length: 0x0131 (305) 
>  ID: 0x8300 (33536) 
>  Flags 
>   Don't fragment bit: 0 - May fragment 
>   More fragments bit: 0 - Last fragment 
>  Fragment offset: 0x0000 (0) 
>  Time to live: 0x7F (127) 
>  Protocol: 0x11 (17) - UDP 
>  Checksum: 0x0718 (1816) - correct 
>  Source IP: 192.168.0.1 
>  Destination IP: 239.255.255.250 
>  IP Options: None 
> UDP 
>  Source port: 1900 
>  Destination port: 1900 
>  Length: 0x011D (285) 
>  Checksum: 0x99D4 (39380) - correct 
> Raw Data: 
> 0x0000   FF FF FF FF FF FF 00 40-05 B5 BB 9B 08 00 45 00 
> =FF=FF=FF=FF=FF=FF.@.=B5=BB>..E. 0x0010   01 31 83 00 00 00 7F 11-07 18
C0=
 A8 00 01 EF FF 
> .1f... 
...=C0=A8..=EF=FF 0x0020   FF FA 07 6C 07 6C 01 1D-99 D4 4E 4F 54 49 46 59 
> =FF=FA.l.l..T=D4NOTIFY 
> 
> 0x0030   20 2A 20 48 54 54 50 2F-31 2E 31 0D 0A 48 4F 53    * 
> HTTP/1.1..HOS 0x0040   54 3A 20 32 33 39 2E 32-35 35 2E 32 35 35 2E 32 
> T: 239.255.255.2 0x0050   35 30 3A 31 39 30 30 0D-0A 43 41 43 48 45 2D 43 
> 50:1900..CACHE-C 0x0060   4F 4E 54 52 4F 4C 3A 20-6D 61 78 2D 61 67 65 3D 
> ONTROL: max-age=3D 0x0070   31 32 30 0D 0A 4C 4F 43-41 54 49 4F 4E 3A 20
6=
8 
> 120..LOCATION: h 0x0080   74 74 70 3A 2F 2F 31 39-32 2E 31 36 38 2E 30 2E 
> ttp://192.168.0. 0x0090   31 3A 35 36 37 38 2F 69-67 64 2E 78 6D 6C 0D 0A 
> 1:5678/igd.xml.. 0x00A0   4E 54 3A 20 75 75 69 64-3A 75 70 6E 70 2D 49 6E 
> NT: uuid:upnp-In 0x00B0   74 65 72 6E 65 74 47 61-74 65 77 61 79 44 65 76 
> ternetGatewayDev 0x00C0   69 63 65 2D 31 5F 30 2D-31 32 33 34 35 36 37 38 
> ice-1_0-12345678 0x00D0   39 30 30 30 30 31 0D 0A-4E 54 53 3A 20 73 73 64 
> 900001..NTS: ssd 0x00E0   70 3A 61 6C 69 76 65 0D-0A 53 45 52 56 45 52 3A 
> p:alive..SERVER: 0x00F0   20 45 6D 62 65 64 64 65-64 20 55 50 6E 50 2F 31 
> Embedded UPnP/1 0x0100   2E 30 0D 0A 55 53 4E 3A-20 75 75 69 64 3A 75 70 
> .0..USN: uuid:up 0x0110   6E 70 2D 49 6E 74 65 72-6E 65 74 47 61 74 65 77 
> np-InternetGatew 0x0120   61 79 44 65 76 69 63 65-2D 31 5F 30 2D 31 32 33 
> ayDevice-1_0-123 0x0130   34 35 36 37 38 39 30 30-30 30 31 0D 0A 0D 0A 
> 45678900001.... 
> 
--------------------------------------------------------------------------- 
----- 
Computer Talk Shop http://www.computertalkshop.com[3] 
Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm[4] 

List HowTo: http://szaroconsulting.com/cts/faq[5] 

To join Computer Talk Shop's off topic list, please goto: 
http://szaroconsulting.com/cts/other_cts_lists.htm[6] 
--------------------------------------------------------------------------- 
------ 

--- Links ---
   1 http://samspade.org/t/refer.cgi?a=3D&f=3D8191#10
   2 http://www.eeye.com/html/Research/Advisories/AD20011220.html
   3 http://www.computertalkshop.com
   4 http://szaroconsulting.com/cts/list_options.htm
   5 http://szaroconsulting.com/cts/faq
   6 http://szaroconsulting.com/cts/other_cts_lists.htm
---------------------------------------------------------------------------
-----
Computer Talk Shop http://www.computertalkshop.com
Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm

List HowTo: http://szaroconsulting.com/cts/faq

To join Computer Talk Shop's off topic list, please goto:
http://szaroconsulting.com/cts/other_cts_lists.htm
---------------------------------------------------------------------------
------

• References:
  • [CTS] Excessive Cable Modem Activity
    • From: DBCfour

Other related posts:

• » [CTS] Excessive Cable Modem Activity
• » [CTS] Re: Excessive Cable Modem Activity
• » [CTS] Re: Excessive Cable Modem Activity
• » [CTS] Re: Excessive Cable Modem Activity
• » [CTS] Re: Excessive Cable Modem Activity
• » [CTS] Re: Excessive Cable Modem Activity
• » [CTS] Re: Excessive Cable Modem Activity

1. Home
2. computertalkshop
3. Archive
4. 11-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---