RE: suspicious IP's. Can it be tunneling ?

[Rick Coloccia <coloccia@geneseo.edu>]

redirected to the list...



At 11:08 AM 1/17/2003, you wrote:

You could build IP based classes for these hosts, then use Packet Logging to capture the files in tcpdump format for inspection to determine what it is.  If you find a specific http user-agent is generating this data then you can create a HTTP User-Agent to classify it and then apply an appropriate policy/partition.  Another option to use instead of Packet Logger is the "class criteria track" command which can tell you the top 10 user agents for an HTTP class.  Hope this is helpful.

Sean Applegate
Packeteer Mid-Atlantic SE
540-972-8711 Office
703-801-0413 Mobile

-----Original Message-----

From: owner-packeteer-edu@lists.Stanford.EDU [mailto:owner-packeteer-edu@lists.Stanford.EDU]On Behalf Of Rick Coloccia

Sent: Friday, January 17, 2003 10:35 AM

To: Mustafa Cagatayli; packeteer-edu@lists.Stanford.EDU

Subject: Re: suspicious IP's. Can it be tunneling ?

At 09:52 AM 1/17/2003, Mustafa Cagatayli wrote:

Hello,

It has been 4 days since out outbound/autodiscover/http traffic has grown so much that all our outbound capacity is now full. As this is a port/class that needs to be available there is no way for me to limit its traffic.

After reading George Russs' e-mail message about tunneling through HTTP port, I tried to checked to see if the traffic is actually towards www.http-tunnel.com. I found out that the traffic is not towards their servers, but mostly towards the following ones. Has anyone experienced any such situation ? Does any one know what these IP's are ?

Since you can identify the computers generating the traffic, can you get to one of them when it's generating and check it out?  Here's who the addresses belong to...

-Rick

157.163.1.10 - 157.163.1.19 and

This "belongs" to:

OrgName:    Dr. Alfred Ristow GmbH& Co.

OrgID:      DARG

NetRange:   157.163.0.0 - 157.163.255.255

CIDR:       157.163.0.0/16

NetName:    LORINKA

NetHandle:  NET-157-163-0-0-1

Parent:     NET-157-0-0-0-0

NetType:    Direct Assignment

Comment:

RegDate:    1991-12-30

Updated:    1992-01-15

TechHandle: DDB43-ARIN

TechName:   Braun, Dr.

TechPhone:  -49 721 4098 0

TechEmail:  dbraun@ira.uka.de

66.28.236.82 - 66.28.236.93

This "belongs" to:

OrgName:    Cogent Communications

OrgID:      COGC

NetRange:   66.28.0.0 - 66.28.255.255

CIDR:       66.28.0.0/16

NetName:    COGENT-NB-0000

NetHandle:  NET-66-28-0-0-1

Parent:     NET-66-0-0-0-0

NetType:    Direct Allocation

NameServer: AUTH1.DNS.COGENTCO.COM

NameServer: AUTH2.DNS.COGENTCO.COM

Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

            Reassignment information for this block can be found at

            rwhois.cogentco.com 4321

RegDate:    2000-10-12

Updated:    2001-12-05

TechHandle: ZC108-ARIN

TechName:   Cogent Communications

TechPhone:  +1-877-875-4311

TechEmail:  noc@cogentco.com

OrgAbuseHandle: COGEN-ARIN

OrgAbuseName:   Cogent Abuse

OrgAbusePhone:  +1-877-875-4311

OrgAbuseEmail:  abuse@cogentco.com

OrgNOCHandle: ZC108-ARIN

OrgNOCName:   Cogent Communications

OrgNOCPhone:  +1-877-875-4311

OrgNOCEmail:  noc@cogentco.com

OrgTechHandle: IPALL-ARIN

OrgTechName:   IP Allocation

OrgTechPhone:  +1-202-295-4200

OrgTechEmail:  "ipalloc@cogentco.com"@nospam.com

Regards.

Mustafa Cagatayli

CC

-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**

This message was posted through the Stanford mailing list server. To

subscribe/unsubscribe, send email to majordomo@lists.stanford.edu

with "subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body.  Archive

is at http://www.stanford.edu/group/networking/netlists/

--

Rick Coloccia

Network Analyst

SUNY Geneseo

119 South Hall

1 College Circle

Geneseo, NY 14454

Voice: (585) 245-5577

Fax:(585) 245-5579

--
Rick Coloccia
Network Analyst
SUNY Geneseo
119 South Hall
1 College Circle
Geneseo, NY 14454
Voice: (585) 245-5577
Fax:(585) 245-5579