[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suspicious IP's. Can it be tunneling ?

To: Mustafa Cagatayli <mscag@ciu.edu.tr>, packeteer-edu@lists.Stanford.EDU
Subject: Re: suspicious IP's. Can it be tunneling ?
From: Rick Coloccia <coloccia@geneseo.edu>
Date: Fri, 17 Jan 2003 10:35:08 -0500
In-reply-to: <5.1.0.14.2.20030117094509.01e74730@mail.ciu.edu.tr>
Sender: owner-packeteer-edu@lists.Stanford.EDU

At 09:52 AM 1/17/2003, Mustafa Cagatayli wrote:

Hello,

It has been 4 days since out outbound/autodiscover/http traffic has grown so much that all our outbound capacity is now full. As this is a port/class that needs to be available there is no way for me to limit its traffic.

After reading George Russs' e-mail message about tunneling through HTTP port, I tried to checked to see if the traffic is actually towards www.http-tunnel.com. I found out that the traffic is not towards their servers, but mostly towards the following ones. Has anyone experienced any such situation ? Does any one know what these IP's are ?

Since you can identify the computers generating the traffic, can you get to one of them when it's generating and check it out? Here's who the addresses belong to...

-Rick

157.163.1.10 - 157.163.1.19 and

This "belongs" to:

OrgName:    Dr. Alfred Ristow GmbH& Co.
OrgID:      DARG

NetRange:   157.163.0.0 - 157.163.255.255
CIDR:       157.163.0.0/16
NetName:    LORINKA
NetHandle: NET-157-163-0-0-1
Parent:     NET-157-0-0-0-0
NetType:    Direct Assignment
Comment:
RegDate:    1991-12-30
Updated:    1992-01-15

TechHandle: DDB43-ARIN
TechName:   Braun, Dr.
TechPhone: -49 721 4098 0
TechEmail: dbraun@ira.uka.de

66.28.236.82 - 66.28.236.93

This "belongs" to:

OrgName:    Cogent Communications
OrgID:      COGC

NetRange:   66.28.0.0 - 66.28.255.255
CIDR:       66.28.0.0/16
NetName:    COGENT-NB-0000
NetHandle: NET-66-28-0-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: AUTH1.DNS.COGENTCO.COM
NameServer: AUTH2.DNS.COGENTCO.COM
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
            Reassignment information for this block can be found at
            rwhois.cogentco.com 4321
RegDate:    2000-10-12
Updated:    2001-12-05

TechHandle: ZC108-ARIN
TechName:   Cogent Communications
TechPhone: +1-877-875-4311
TechEmail: noc@cogentco.com

OrgAbuseHandle: COGEN-ARIN
OrgAbuseName:   Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com

OrgNOCHandle: ZC108-ARIN
OrgNOCName:   Cogent Communications
OrgNOCPhone: +1-877-875-4311
OrgNOCEmail: noc@cogentco.com

OrgTechHandle: IPALL-ARIN
OrgTechName:   IP Allocation
OrgTechPhone: +1-202-295-4200
OrgTechEmail: "ipalloc@cogentco.com"@nospam.com

Regards.

Mustafa Cagatayli
CC

-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**
This message was posted through the Stanford mailing list server. To
subscribe/unsubscribe, send email to majordomo@lists.stanford.edu
with "subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body. Archive
is at http://www.stanford.edu/group/networking/netlists/

--
Rick Coloccia
Network Analyst
SUNY Geneseo
119 South Hall
1 College Circle
Geneseo, NY 14454
Voice: (585) 245-5577
Fax:(585) 245-5579

References:
- suspicious IP's. Can it be tunneling ?
  - From: Mustafa Cagatayli <mscag@ciu.edu.tr>

Prev by Date: suspicious IP's. Can it be tunneling ?
Next by Date: SV: suspicious IP's. Can it be tunneling ?
Previous by thread: suspicious IP's. Can it be tunneling ?
Next by thread: RE: suspicious IP's. Can it be tunneling ?
Index(es):
- Date
- Thread