Donna, It seems that once again Wily Coyote has been had by the Road Runner. I would suggest contacting Acme explosives and placing the usual order. John McLaughlin Glendale, Arizona DBCfour@xxxxxxx wrote: A friend of mine sent this email account of a problem he's been having for=20 over almost 2 weeks now. Can one of you guys give me some idea of what I=20 should suggest that they do given the information provided below? Thanks in advance, Donna ****************************************************************************= _ ** **************** Here is the second reply I got from RR. Below it is the message I sent them. Can you figure out what additional info they want, and what can I get them to do?. They appear to me like they don't seem interested in helping. As I stated in the message even if this is not a threat, this is affecting my bandwidth and I want it stopped. Any ideas, comments? thanks. ----- Original Message ----- From: "Road Runner Security [KMH]" <abuse@xxxxxx> To: "Dace Hodgin" <hodgind@xxxxxxxxxxxx> Sent: Thursday, November 21, 2002 4:44 PM Subject: Re: Security Hello, Road Runner has received your e-mail, but is currently unable to process it further as it is missing some required information. Please read this reply to find out what information that we require in order to process your complaint. If you are reporting an Internet abuse issue, it is important that you include detailed time stamped logs in plain text format to us so that we may assist you. Without it, we will be unable to substantiate "abuse" allegations, and will not be able to assist you. Your logs must contain the following information, in any order, for Road Runner to process them: Date of Incident, Time of Incident, Time Zone, Attacker IP, Your IP, local Port If the incident that was the basis of your complaint was neither instigated by an individual using the Road Runner system, nor in any way related to the Road Runner system or content maintained by Road Runner, then Road Runner is not the proper entity to contact because we are not in a position to take any action. If you wish to pursue this matter, you may want to contact the person responsible for the incident, or the Internet Service Provider through which the content was posted or on which it is maintained. A good place to begin in the instance of unwanted probes is http://samspade.org/t/refer.cgi?a=3D&f=3D8191#10[1] --On Tuesday, November 19, 2002 8:27 PM -0500 Dace Hodgin <hodgind@xxxxxxxxxxxx> wrote: > Since sending the initial email I have investigated the incident and > discovered the activity is on UDP port 1900 to IP address 239.255.255.250 > which is related to Microsoft Simple Service Discovery Protocol. There > seems to be an issue with Denial of Service attacks > (http://www.eeye.com/html/Research/Advisories/AD20011220.html[2]). I have > checked for the patches from Microsoft and don't need them. I have also > set up filter and firewall rules on my router to block this activity. The > problem is that I have noticed a negative impact in my bandwidth during > this time. This activity has been continuous since 11-09-02. The only > IP address that shows up on my activity logs is the 239.255.255.250 > address. I don't know where this activity is originating from, but is > not my LAN. It may not be intentional but I would like this stopped. > I'm sorry I cannot provide you with more information. I am attaching an > example of one of the packets below. > > Packet #2, Direction: Pass-through, Time:20:16:40.970, Size: 319 > Ethernet II > Destination MAC: FF:FF:FF:FF:FF:FF > Source MAC: 00:40:05:B5:BB:9B > Ethertype: 0x0800 (2048) - IP > IP > IP version: 0x04 (4) > Header length: 0x05 (5) - 20 bytes > Type of service: 0x00 (0) > Precedence: 000 - Routine > Delay: 0 - Normal delay > Throughput: 0 - Normal throughput > Reliability: 0 - Normal reliability > Total length: 0x0131 (305) > ID: 0x8300 (33536) > Flags > Don't fragment bit: 0 - May fragment > More fragments bit: 0 - Last fragment > Fragment offset: 0x0000 (0) > Time to live: 0x7F (127) > Protocol: 0x11 (17) - UDP > Checksum: 0x0718 (1816) - correct > Source IP: 192.168.0.1 > Destination IP: 239.255.255.250 > IP Options: None > UDP > Source port: 1900 > Destination port: 1900 > Length: 0x011D (285) > Checksum: 0x99D4 (39380) - correct > Raw Data: > 0x0000 FF FF FF FF FF FF 00 40-05 B5 BB 9B 08 00 45 00 > =FF=FF=FF=FF=FF=FF.@.=B5=BB>..E. 0x0010 01 31 83 00 00 00 7F 11-07 18 C0= A8 00 01 EF FF > .1f... ...=C0=A8..=EF=FF 0x0020 FF FA 07 6C 07 6C 01 1D-99 D4 4E 4F 54 49 46 59 > =FF=FA.l.l..T=D4NOTIFY > > 0x0030 20 2A 20 48 54 54 50 2F-31 2E 31 0D 0A 48 4F 53 * > HTTP/1.1..HOS 0x0040 54 3A 20 32 33 39 2E 32-35 35 2E 32 35 35 2E 32 > T: 239.255.255.2 0x0050 35 30 3A 31 39 30 30 0D-0A 43 41 43 48 45 2D 43 > 50:1900..CACHE-C 0x0060 4F 4E 54 52 4F 4C 3A 20-6D 61 78 2D 61 67 65 3D > ONTROL: max-age=3D 0x0070 31 32 30 0D 0A 4C 4F 43-41 54 49 4F 4E 3A 20 6= 8 > 120..LOCATION: h 0x0080 74 74 70 3A 2F 2F 31 39-32 2E 31 36 38 2E 30 2E > ttp://192.168.0. 0x0090 31 3A 35 36 37 38 2F 69-67 64 2E 78 6D 6C 0D 0A > 1:5678/igd.xml.. 0x00A0 4E 54 3A 20 75 75 69 64-3A 75 70 6E 70 2D 49 6E > NT: uuid:upnp-In 0x00B0 74 65 72 6E 65 74 47 61-74 65 77 61 79 44 65 76 > ternetGatewayDev 0x00C0 69 63 65 2D 31 5F 30 2D-31 32 33 34 35 36 37 38 > ice-1_0-12345678 0x00D0 39 30 30 30 30 31 0D 0A-4E 54 53 3A 20 73 73 64 > 900001..NTS: ssd 0x00E0 70 3A 61 6C 69 76 65 0D-0A 53 45 52 56 45 52 3A > p:alive..SERVER: 0x00F0 20 45 6D 62 65 64 64 65-64 20 55 50 6E 50 2F 31 > Embedded UPnP/1 0x0100 2E 30 0D 0A 55 53 4E 3A-20 75 75 69 64 3A 75 70 > .0..USN: uuid:up 0x0110 6E 70 2D 49 6E 74 65 72-6E 65 74 47 61 74 65 77 > np-InternetGatew 0x0120 61 79 44 65 76 69 63 65-2D 31 5F 30 2D 31 32 33 > ayDevice-1_0-123 0x0130 34 35 36 37 38 39 30 30-30 30 31 0D 0A 0D 0A > 45678900001.... > --------------------------------------------------------------------------- ----- Computer Talk Shop http://www.computertalkshop.com[3] Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm[4] List HowTo: http://szaroconsulting.com/cts/faq[5] To join Computer Talk Shop's off topic list, please goto: http://szaroconsulting.com/cts/other_cts_lists.htm[6] --------------------------------------------------------------------------- ------ --- Links --- 1 http://samspade.org/t/refer.cgi?a=3D&f=3D8191#10 2 http://www.eeye.com/html/Research/Advisories/AD20011220.html 3 http://www.computertalkshop.com 4 http://szaroconsulting.com/cts/list_options.htm 5 http://szaroconsulting.com/cts/faq 6 http://szaroconsulting.com/cts/other_cts_lists.htm --------------------------------------------------------------------------- ----- Computer Talk Shop http://www.computertalkshop.com Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm List HowTo: http://szaroconsulting.com/cts/faq To join Computer Talk Shop's off topic list, please goto: http://szaroconsulting.com/cts/other_cts_lists.htm --------------------------------------------------------------------------- ------