This traffic appears to be the result of an RTT measurement which involve mirror-image servers. According to Mirror-image, a load balancer (Cisco's Distributed Director) is used. More on DRP-RTT metric: http://www.cisco.com/warp/public/cc/pd/cxsr/dd/tech/dd_wp.htm I see all the nodes quoted in following list except 165.121.70.75 and 212.78.164.193. I think ACK flag and port 53 are used to bypass router's filters. Yves Soun. --------------- CERTA (French Governmental CSIRT) --------------- Phone: (+33) 1 41 46 25 23 Fax: (+33) 1 41 46 37 01 E-mail: CERTA-svpat_private ----------------------------------------------------------------- >On 2001-05-16 11:02:29 +0200, Thomas Roessler wrote: > >>The same characteristic also applies to the logs at >>http://members.iinet.net.au/~paulhng/lrp/kernlog.txt which David >>posted, and which are 10 days old. (!) > >Asking google for a randomly selected common IP address from the >list, I found ><http://my.maceast.com/homevision-u-l/ace-l/linux-router-l/%2330765452>, >where Nicolas Riendeau reports a similar scan which happened on >April 13, 2001. > >Taking his log file entries ("MrShield") into account, the table of >attackers' IP addresses looks like this now: > >140.239.176.162 keith sobolev tifa mrshield >165.121.70.75 keith >194.205.125.26 keith sobolev tifa mrshield >194.213.64.150 keith sobolev tifa mrshield >202.139.133.129 keith sobolev tifa mrshield >203.194.166.182 keith sobolev tifa mrshield >203.208.128.70 keith sobolev tifa mrshield >207.55.138.206 keith sobolev tifa >208.184.162.71 keith sobolev tifa mrshield >209.249.97.40 keith sobolev tifa mrshield >212.23.225.98 keith sobolev tifa mrshield >212.78.160.237 keith tifa mrshield >212.78.164.193 sobolev >216.220.39.42 keith sobolev tifa mrshield >216.33.35.214 keith sobolev tifa mrshield >216.34.68.2 keith sobolev tifa mrshield >216.35.167.58 keith sobolev tifa >62.23.80.2 keith sobolev tifa mrshield >62.26.119.34 keith sobolev tifa mrshield >63.209.147.246 keith sobolev tifa mrshield >64.14.200.154 keith sobolev tifa >64.37.200.46 keith sobolev tifa mrshield >64.56.174.186 keith sobolev tifa mrshield >64.78.235.14 keith sobolev tifa > >Maybe what we are seeing here are mostly decoy addresses used by >some tool with an extremely bad RNG? > >-- >Thomas Roessler http://log.does-not-exist.org/
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 08:42:55 PDT