Re: Traffic from microsoft.com ?

From: Peter Bates (Peter.Batesat_private)
Date: Sun Jul 01 2001 - 16:21:02 PDT

  • Next message: Sara Brigid Gaffney: "Re: Why would someone DoS a free-lance writer?"

    Hello all...
    
    >Well. If the IPs were from 207.46.x.x they were MSFT:
    
    >    Netname: MICROSOFT-GLOBAL-NET
    >    Netblock: 207.46.0.0 - 207.46.255.255
    
    Indeed, I should have said that the IP addresses I did in fact
    see were all in the 207.46.x.x range, although admittedly I hadn't
    thought to try doing a reverse lookup or a whois search on them.
    
    >My guess is that someone set up a few hundred clients to connect to 
    >MSFT-servers with a fake source-ip. So all the replies went to "random" 
    >destintaions - and Peter Bates network just happened to be in the 
    >attackers "source-range".
    
    I think this does indeed sound highly probable... not very pleasing
    news, necessarily, but I suppose more pleasant than knowing the
    traffic was the result of a genuine DDoS emanating from my network!
    
    
    Thanks...
    
    
    
    
    
    -------------------------------------------------------------------------------------------------------------------->
    Peter Bates, Systems Support Officer, Network Support Team.
    London School of Hygiene & Tropical Medicine.
    Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 01 2001 - 22:39:35 PDT