[CTS] Re: Excessive Cable Modem Activity
- From: "Eric C. Vogel" <ECVogel@xxxxxxxxx>
- To: <computertalkshop@xxxxxxxxxxxxx>
- Date: Fri, 22 Nov 2002 13:14:21 -0500
Both I and my friend saw an increase in light activity with RR and has not
gone away. I cannot say now, I have been on Comcast.net for almost a year.
But I think the light still flashes when the PC and linksys firewall is off.
It could be a RR/Comcast server checking to see if the IP is active.
Thank you,
Eric Vogel
----- Original Message -----
From: <DBCfour@xxxxxxx>
To: <computertalkshop@xxxxxxxxxxxxx>
Sent: Thursday, November 21, 2002 10:03 PM
Subject: [CTS] Excessive Cable Modem Activity
>
>
> A friend of mine sent this email account of a problem he's been having
for=20
> over almost 2 weeks now. Can one of you guys give me some idea of what
I=20
> should suggest that they do given the information provided below?
>
> Thanks in advance,
>
> Donna
>
****************************************************************************
=
> **
>
> ****************
> Here is the second reply I got from RR. Below it is the message I sent
> them. Can you figure out what additional info they want, and what can I
get
> them to do?. They appear to me like they don't seem interested in
helping.
> As I stated in the message even if this is not a threat, this is
affecting
> my bandwidth and I want it stopped. Any ideas, comments? thanks.
>
> ----- Original Message -----
> From: "Road Runner Security [KMH]" <abuse@xxxxxx>
> To: "Dace Hodgin" <hodgind@xxxxxxxxxxxx>
> Sent: Thursday, November 21, 2002 4:44 PM
> Subject: Re: Security
>
>
> Hello,
>
> Road Runner has received your e-mail, but is currently unable to process
it
> further as it is missing some required information. Please read this reply
> to find out what information that we require in order to process your
> complaint.
>
> If you are reporting an Internet abuse issue, it is important that you
> include detailed time stamped logs in plain text format to us so that we
> may assist you. Without it, we will be unable to substantiate "abuse"
> allegations, and will not be able to assist you.
>
> Your logs must contain the following information, in any order, for Road
> Runner to process them:
>
> Date of Incident, Time of Incident, Time Zone, Attacker IP, Your IP, local
> Port
>
>
> If the incident that was the basis of your complaint was neither
instigated
> by an individual using the Road Runner system, nor in any way related to
> the Road Runner system or content maintained by Road Runner, then Road
> Runner is not the proper entity to contact because we are not in a
position
> to take any action.
>
> If you wish to pursue this matter, you may want to contact the person
> responsible for the incident, or the Internet Service Provider through
> which the content was posted or on which it is maintained. A good place to
> begin in the instance of unwanted probes is
> http://samspade.org/t/refer.cgi?a=3D&f=3D8191#10
>
>
> --On Tuesday, November 19, 2002 8:27 PM -0500 Dace Hodgin
> <hodgind@xxxxxxxxxxxx> wrote:
>
> > Since sending the initial email I have investigated the incident and
> > discovered the activity is on UDP port 1900 to IP address
239.255.255.250
> > which is related to Microsoft Simple Service Discovery Protocol. There
> > seems to be an issue with Denial of Service attacks
> > (http://www.eeye.com/html/Research/Advisories/AD20011220.html). I have
> > checked for the patches from Microsoft and don't need them. I have
also
> > set up filter and firewall rules on my router to block this activity.
The
> > problem is that I have noticed a negative impact in my bandwidth during
> > this time. This activity has been continuous since 11-09-02. The only
> > IP address that shows up on my activity logs is the 239.255.255.250
> > address. I don't know where this activity is originating from, but is
> > not my LAN. It may not be intentional but I would like this stopped.
> > I'm sorry I cannot provide you with more information. I am attaching an
> > example of one of the packets below.
> >
> > Packet #2, Direction: Pass-through, Time:20:16:40.970, Size: 319
> > Ethernet II
> > Destination MAC: FF:FF:FF:FF:FF:FF
> > Source MAC: 00:40:05:B5:BB:9B
> > Ethertype: 0x0800 (2048) - IP
> > IP
> > IP version: 0x04 (4)
> > Header length: 0x05 (5) - 20 bytes
> > Type of service: 0x00 (0)
> > Precedence: 000 - Routine
> > Delay: 0 - Normal delay
> > Throughput: 0 - Normal throughput
> > Reliability: 0 - Normal reliability
> > Total length: 0x0131 (305)
> > ID: 0x8300 (33536)
> > Flags
> > Don't fragment bit: 0 - May fragment
> > More fragments bit: 0 - Last fragment
> > Fragment offset: 0x0000 (0)
> > Time to live: 0x7F (127)
> > Protocol: 0x11 (17) - UDP
> > Checksum: 0x0718 (1816) - correct
> > Source IP: 192.168.0.1
> > Destination IP: 239.255.255.250
> > IP Options: None
> > UDP
> > Source port: 1900
> > Destination port: 1900
> > Length: 0x011D (285)
> > Checksum: 0x99D4 (39380) - correct
> > Raw Data:
> > 0x0000 FF FF FF FF FF FF 00 40-05 B5 BB 9B 08 00 45 00
> > =FF=FF=FF=FF=FF=FF.@.=B5=BB>..E. 0x0010 01 31 83 00 00 00 7F 11-07 18
C0=
> A8 00 01 EF FF
> > .1f...
> ...=C0=A8..=EF=FF 0x0020 FF FA 07 6C 07 6C 01 1D-99 D4 4E 4F 54 49 46 59
> > =FF=FA.l.l..T=D4NOTIFY
> >
> > 0x0030 20 2A 20 48 54 54 50 2F-31 2E 31 0D 0A 48 4F 53 *
> > HTTP/1.1..HOS 0x0040 54 3A 20 32 33 39 2E 32-35 35 2E 32 35 35 2E 32
> > T: 239.255.255.2 0x0050 35 30 3A 31 39 30 30 0D-0A 43 41 43 48 45 2D
43
> > 50:1900..CACHE-C 0x0060 4F 4E 54 52 4F 4C 3A 20-6D 61 78 2D 61 67 65
3D
> > ONTROL: max-age=3D 0x0070 31 32 30 0D 0A 4C 4F 43-41 54 49 4F 4E 3A 20
6=
> 8
> > 120..LOCATION: h 0x0080 74 74 70 3A 2F 2F 31 39-32 2E 31 36 38 2E 30
2E
> > ttp://192.168.0. 0x0090 31 3A 35 36 37 38 2F 69-67 64 2E 78 6D 6C 0D
0A
> > 1:5678/igd.xml.. 0x00A0 4E 54 3A 20 75 75 69 64-3A 75 70 6E 70 2D 49
6E
> > NT: uuid:upnp-In 0x00B0 74 65 72 6E 65 74 47 61-74 65 77 61 79 44 65
76
> > ternetGatewayDev 0x00C0 69 63 65 2D 31 5F 30 2D-31 32 33 34 35 36 37
38
> > ice-1_0-12345678 0x00D0 39 30 30 30 30 31 0D 0A-4E 54 53 3A 20 73 73
64
> > 900001..NTS: ssd 0x00E0 70 3A 61 6C 69 76 65 0D-0A 53 45 52 56 45 52
3A
> > p:alive..SERVER: 0x00F0 20 45 6D 62 65 64 64 65-64 20 55 50 6E 50 2F
31
> > Embedded UPnP/1 0x0100 2E 30 0D 0A 55 53 4E 3A-20 75 75 69 64 3A 75 70
> > .0..USN: uuid:up 0x0110 6E 70 2D 49 6E 74 65 72-6E 65 74 47 61 74 65
77
> > np-InternetGatew 0x0120 61 79 44 65 76 69 63 65-2D 31 5F 30 2D 31 32
33
> > ayDevice-1_0-123 0x0130 34 35 36 37 38 39 30 30-30 30 31 0D 0A 0D 0A
> > 45678900001....
> >
> --------------------------------------------------------------------------
-
> -----
> Computer Talk Shop http://www.computertalkshop.com
> Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm
>
> List HowTo: http://szaroconsulting.com/cts/faq
>
> To join Computer Talk Shop's off topic list, please goto:
> http://szaroconsulting.com/cts/other_cts_lists.htm
> --------------------------------------------------------------------------
-
> ------
---------------------------------------------------------------------------
-----
Computer Talk Shop http://www.computertalkshop.com
Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm
List HowTo: http://szaroconsulting.com/cts/faq
To join Computer Talk Shop's off topic list, please goto:
http://szaroconsulting.com/cts/other_cts_lists.htm
---------------------------------------------------------------------------
------
Other related posts:
