Both I and my friend saw an increase in light activity with RR and has not gone away. I cannot say now, I have been on Comcast.net for almost a year. But I think the light still flashes when the PC and linksys firewall is off. It could be a RR/Comcast server checking to see if the IP is active. Thank you, Eric Vogel ----- Original Message ----- From: <DBCfour@xxxxxxx> To: <computertalkshop@xxxxxxxxxxxxx> Sent: Thursday, November 21, 2002 10:03 PM Subject: [CTS] Excessive Cable Modem Activity > > > A friend of mine sent this email account of a problem he's been having for=20 > over almost 2 weeks now. Can one of you guys give me some idea of what I=20 > should suggest that they do given the information provided below? > > Thanks in advance, > > Donna > **************************************************************************** = > ** > > **************** > Here is the second reply I got from RR. Below it is the message I sent > them. Can you figure out what additional info they want, and what can I get > them to do?. They appear to me like they don't seem interested in helping. > As I stated in the message even if this is not a threat, this is affecting > my bandwidth and I want it stopped. Any ideas, comments? thanks. > > ----- Original Message ----- > From: "Road Runner Security [KMH]" <abuse@xxxxxx> > To: "Dace Hodgin" <hodgind@xxxxxxxxxxxx> > Sent: Thursday, November 21, 2002 4:44 PM > Subject: Re: Security > > > Hello, > > Road Runner has received your e-mail, but is currently unable to process it > further as it is missing some required information. Please read this reply > to find out what information that we require in order to process your > complaint. > > If you are reporting an Internet abuse issue, it is important that you > include detailed time stamped logs in plain text format to us so that we > may assist you. Without it, we will be unable to substantiate "abuse" > allegations, and will not be able to assist you. > > Your logs must contain the following information, in any order, for Road > Runner to process them: > > Date of Incident, Time of Incident, Time Zone, Attacker IP, Your IP, local > Port > > > If the incident that was the basis of your complaint was neither instigated > by an individual using the Road Runner system, nor in any way related to > the Road Runner system or content maintained by Road Runner, then Road > Runner is not the proper entity to contact because we are not in a position > to take any action. > > If you wish to pursue this matter, you may want to contact the person > responsible for the incident, or the Internet Service Provider through > which the content was posted or on which it is maintained. A good place to > begin in the instance of unwanted probes is > http://samspade.org/t/refer.cgi?a=3D&f=3D8191#10 > > > --On Tuesday, November 19, 2002 8:27 PM -0500 Dace Hodgin > <hodgind@xxxxxxxxxxxx> wrote: > > > Since sending the initial email I have investigated the incident and > > discovered the activity is on UDP port 1900 to IP address 239.255.255.250 > > which is related to Microsoft Simple Service Discovery Protocol. There > > seems to be an issue with Denial of Service attacks > > (http://www.eeye.com/html/Research/Advisories/AD20011220.html). I have > > checked for the patches from Microsoft and don't need them. I have also > > set up filter and firewall rules on my router to block this activity. The > > problem is that I have noticed a negative impact in my bandwidth during > > this time. This activity has been continuous since 11-09-02. The only > > IP address that shows up on my activity logs is the 239.255.255.250 > > address. I don't know where this activity is originating from, but is > > not my LAN. It may not be intentional but I would like this stopped. > > I'm sorry I cannot provide you with more information. I am attaching an > > example of one of the packets below. > > > > Packet #2, Direction: Pass-through, Time:20:16:40.970, Size: 319 > > Ethernet II > > Destination MAC: FF:FF:FF:FF:FF:FF > > Source MAC: 00:40:05:B5:BB:9B > > Ethertype: 0x0800 (2048) - IP > > IP > > IP version: 0x04 (4) > > Header length: 0x05 (5) - 20 bytes > > Type of service: 0x00 (0) > > Precedence: 000 - Routine > > Delay: 0 - Normal delay > > Throughput: 0 - Normal throughput > > Reliability: 0 - Normal reliability > > Total length: 0x0131 (305) > > ID: 0x8300 (33536) > > Flags > > Don't fragment bit: 0 - May fragment > > More fragments bit: 0 - Last fragment > > Fragment offset: 0x0000 (0) > > Time to live: 0x7F (127) > > Protocol: 0x11 (17) - UDP > > Checksum: 0x0718 (1816) - correct > > Source IP: 192.168.0.1 > > Destination IP: 239.255.255.250 > > IP Options: None > > UDP > > Source port: 1900 > > Destination port: 1900 > > Length: 0x011D (285) > > Checksum: 0x99D4 (39380) - correct > > Raw Data: > > 0x0000 FF FF FF FF FF FF 00 40-05 B5 BB 9B 08 00 45 00 > > =FF=FF=FF=FF=FF=FF.@.=B5=BB>..E. 0x0010 01 31 83 00 00 00 7F 11-07 18 C0= > A8 00 01 EF FF > > .1f... > ...=C0=A8..=EF=FF 0x0020 FF FA 07 6C 07 6C 01 1D-99 D4 4E 4F 54 49 46 59 > > =FF=FA.l.l..T=D4NOTIFY > > > > 0x0030 20 2A 20 48 54 54 50 2F-31 2E 31 0D 0A 48 4F 53 * > > HTTP/1.1..HOS 0x0040 54 3A 20 32 33 39 2E 32-35 35 2E 32 35 35 2E 32 > > T: 239.255.255.2 0x0050 35 30 3A 31 39 30 30 0D-0A 43 41 43 48 45 2D 43 > > 50:1900..CACHE-C 0x0060 4F 4E 54 52 4F 4C 3A 20-6D 61 78 2D 61 67 65 3D > > ONTROL: max-age=3D 0x0070 31 32 30 0D 0A 4C 4F 43-41 54 49 4F 4E 3A 20 6= > 8 > > 120..LOCATION: h 0x0080 74 74 70 3A 2F 2F 31 39-32 2E 31 36 38 2E 30 2E > > ttp://192.168.0. 0x0090 31 3A 35 36 37 38 2F 69-67 64 2E 78 6D 6C 0D 0A > > 1:5678/igd.xml.. 0x00A0 4E 54 3A 20 75 75 69 64-3A 75 70 6E 70 2D 49 6E > > NT: uuid:upnp-In 0x00B0 74 65 72 6E 65 74 47 61-74 65 77 61 79 44 65 76 > > ternetGatewayDev 0x00C0 69 63 65 2D 31 5F 30 2D-31 32 33 34 35 36 37 38 > > ice-1_0-12345678 0x00D0 39 30 30 30 30 31 0D 0A-4E 54 53 3A 20 73 73 64 > > 900001..NTS: ssd 0x00E0 70 3A 61 6C 69 76 65 0D-0A 53 45 52 56 45 52 3A > > p:alive..SERVER: 0x00F0 20 45 6D 62 65 64 64 65-64 20 55 50 6E 50 2F 31 > > Embedded UPnP/1 0x0100 2E 30 0D 0A 55 53 4E 3A-20 75 75 69 64 3A 75 70 > > .0..USN: uuid:up 0x0110 6E 70 2D 49 6E 74 65 72-6E 65 74 47 61 74 65 77 > > np-InternetGatew 0x0120 61 79 44 65 76 69 63 65-2D 31 5F 30 2D 31 32 33 > > ayDevice-1_0-123 0x0130 34 35 36 37 38 39 30 30-30 30 31 0D 0A 0D 0A > > 45678900001.... > > > -------------------------------------------------------------------------- - > ----- > Computer Talk Shop http://www.computertalkshop.com > Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm > > List HowTo: http://szaroconsulting.com/cts/faq > > To join Computer Talk Shop's off topic list, please goto: > http://szaroconsulting.com/cts/other_cts_lists.htm > -------------------------------------------------------------------------- - > ------ --------------------------------------------------------------------------- ----- Computer Talk Shop http://www.computertalkshop.com Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm List HowTo: http://szaroconsulting.com/cts/faq To join Computer Talk Shop's off topic list, please goto: http://szaroconsulting.com/cts/other_cts_lists.htm --------------------------------------------------------------------------- ------