Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Fwd: Re: Dst. ports 33438, 33437 (64.95.255.255) [data393]

  • From: Fergie (Paul Ferguson)
  • Date: Thu Aug 11 19:50:24 2005

The following is some dialogue that I posted to the
DShield.org list last night, trying to figure out
why I was seeing these odd traceroute probes in my firewall
logs at home.

I post it here for two reasons:

[1] Does anyone have any experience with InterNAP's FCP-500
product? I was looking for some additional technical info beyond
what is on their web site. Contact me off-list, of course.

And,

[2] Just thought some of you might be interested. :-)

- ferg




---------- Forwarded Message ----------

Just as an FYI  follow-up to last night's e-mails
from me to on the list [subject line above], I received
this from InterNAP this morning. Though I'd share...

- feeg




---------- Forwarded Message ----------

We have received the following notice regarding trace route traffic
originating from our network, so I thought I would give respond to give
you a bit of piece of mind.  The packets you are seeing are actually a
very GOOD thing.  Our datacenter employs a technology which tunes BGP
routing tables for outbound traffic to provide the highest performing
route path.  On average, this shaves 35-40ms off the round-trip time for
network performance.  The device which performs these operations is
called an Internap FCP-500.  You can view more information at
http://www.internap.com/products/route-optimization.htm 

Chances are, your public IP address was part of communication with our
datacenter.  Since over 10,000 web sites are hosted in our center, it is
a very likely case that you accessed a web site, which then triggered
the performance platform to probe round-trip times via traditional trace
route and ping protocols.  Once you communicate with the datacenter for
the first time, the device will continue to probe the pathway for
performance data periodically, and adjust routes accordingly.

The end result is, a better performing experience since the packets take
the best performing pathway through the Internet from the datacenter to
the end user.

Regards,
Susan Cook

________________________________

Susan Cook | AUP Enforcement
[contact info elided]
 

-----Original Message-----
From: abuse@internap.com [mailto:abuse@internap.com] 
Posted At: Wednesday, August 10, 2005 9:46 PM
Posted To: Data393 Abuse
Conversation: [ABUSE] Re: [Dshield] Dst. ports 33438, 33437
(64.95.255.255) [data393]
Subject: [ABUSE] Re: [Dshield] Dst. ports 33438, 33437 (64.95.255.255)
[data393]

Internap has received an abuse complaint related to the possible
distribution of unsolicited e-mail (spam) or a possible security
violation
from you or one of your customers.  We are forwarding the complaint to
you
so that you may take appropriate measures to address the issue.

The purpose of this message is to inform you of a complaint we have
received as if you had received the complaint directly.  We have not
verified the accuracy of the complaint nor is this an accusation that
the
said incident has occurred.
         
Internap will not embark upon any punitive action regarding spam or
security complaints without explicitly and formally contacting you
regarding a clear, verified complaint, or a pattern of abuse.
        
Please refer to http://www.internap.com/about/policies.html for
general questions regarding Internap's stance on spam or abuse.  Please
direct any questions regarding this specific issue to
abuse@internap.com.
        
         
---------- Forwarded message ----------
From: "Fergie (Paul Ferguson)" <<removed>@netzero.net>
Date: Thu, 11 Aug 2005 03:39:43 GMT
To: list@lists.dshield.org
Cc: abuse@internap.com
Subject: Re: [Dshield] Dst. ports 33438, 33437

...and, now I see an adjacent port as well:

2005-08-10 21:21:48 -05:00	87744681	1	64.94.45.10
14484	67.64.90.x	33436	udp


64.94.45.10 --> fcp-2.chg.pnap.net

Hmmm.

OrgName: Internap Network Services
OrgID: PNAP
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

NetRange: 64.94.0.0 - 64.95.255.255
CIDR: 64.94.0.0/15
NetName: PNAP-05-2000
NetHandle: NET-64-94-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PNAP.NET
NameServer: NS2.PNAP.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-06-05
Updated: 2002-06-17

TechHandle: INO3-ARIN
TechName: InterNap Network Operations Center
TechPhone: +1-877-843-4662
TechEmail: noc@internap.com

OrgAbuseHandle: IAC3-ARIN
OrgAbuseName: Internap Abuse Contact
OrgAbusePhone: +1-206-256-9500
OrgAbuseEmail: abuse@internap.com

OrgTechHandle: INO3-ARIN
OrgTechName: InterNap Network Operations Center
OrgTechPhone: +1-877-843-4662
OrgTechEmail: noc@internap.com

# ARIN WHOIS database, last updated 2005-08-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

 Tracing to: 64.94.45.10

 1  legacy26-0.default.csail.mit.edu (18.26.0.1) [AS3]  0 ms  0 ms  0 ms
 2  kalgan.trantor.csail.mit.edu (128.30.0.245) [AS40]  0 ms  0 ms  0 ms
 3  B24-RTR-2-CSAIL.MIT.EDU (18.4.7.1) [AS3]  90 ms  96 ms  2 ms
 4  EXTERNAL-RTR-2-BACKBONE.MIT.EDU (18.168.0.27) [AS3]  0 ms  0 ms  0
ms
 5  EXTERNAL-RTR-1-BACKBONE.MIT.EDU (18.168.0.18) [AS3]  1 ms  1 ms  1
ms
 6  ge-6-23.car2.Boston1.Level3.net (4.79.2.1) [AS3356]  1 ms  1 ms  1
ms
 7  ae-1-51.mp1.Boston1.Level3.net (4.68.100.1) [AS3356]  1 ms  1 ms  1
ms
 8  so-3-1-0.bbr1.Chicago1.Level3.net (64.159.4.178) [AS3356]  21 ms
ae-0-0.bbr2.Chicago1.Level3.net (64.159.1.34) [AS3356]  21 ms
so-3-1-0.bbr1.Chicago1.Level3.net (64.159.4.178) [AS3356]  21 ms
 9  ge-7-0.ipcolo1.Chicago1.Level3.net (4.68.101.42) [AS3356]  21 ms
ge-7-1.ipcolo1.Chicago1.Level3.net (4.68.101.106) [AS3356]  21 ms
ge-9-1.ipcolo1.Chicago1.Level3.net (4.68.101.74) [AS3356]  21 ms
10  unknown.Level3.net (209.247.34.166) [AS3356]  21 ms  21 ms  21 ms
11  border6.ge4-1-bbnet2.chg.pnap.net (64.94.32.75) [AS19024]  51 ms  21
ms  21 ms
12  fcp1.chg.pnap.net (64.94.45.96) [AS19024]  21 ms  21 ms  21 ms
13  * * *
14  * * *

What's up with that? Very, very odd...

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg@netzero.net or fergdawg@sbcglobal.net
 ferg's tech blog: http://fergdawg.blogspot.com/

-- "Fergie (Paul Ferguson)" <fergdawg@netzero.net> wrote:
..and a traceroute form MIT:

 Tracing to: 208.42.224.238

 1  legacy26-0.default.csail.mit.edu (18.26.0.1) [AS3]  0 ms  0 ms  0 ms
 2  kalgan.trantor.csail.mit.edu (128.30.0.245) [AS40]  0 ms  0 ms  0 ms
 3  B24-RTR-2-CSAIL.MIT.EDU (18.4.7.1) [AS3]  0 ms  9 ms  1 ms
 4  EXTERNAL-RTR-2-BACKBONE.MIT.EDU (18.168.0.27) [AS3]  68 ms  108 ms
9 ms
 5  EXTERNAL-RTR-1-BACKBONE.MIT.EDU (18.168.0.18) [AS3]  1 ms  1 ms  1
ms
 6  ge-6-23.car2.Boston1.Level3.net (4.79.2.1) [AS3356]  1 ms  1 ms  1
ms
 7  ae-1-53.mp1.Boston1.Level3.net (4.68.100.65) [AS3356]  1 ms  1 ms  1
ms
 8  as-0-0.bbr2.Denver1.Level3.net (64.159.4.226) [AS3356]  43 ms
ae-0-0.bbr1.Denver1.Level3.net (64.159.1.113) [AS3356]  43 ms
as-0-0.bbr2.Denver1.Level3.net (64.159.4.226) [AS3356]  43 ms
 9  so-6-0.hsa1.Denver1.Level3.net (4.68.112.154) [AS3356]  44 ms  43 ms
4.68.113.54 (4.68.113.54) [AS3356]  43 ms
10  4.79.80.14 (4.79.80.14) [AS3356]  44 ms  44 ms  44 ms
11  core-b.v33.ge-4-5.Level3.edge3.data393.net (208.42.224.117)
[AS29863]  44 ms  44 ms  44 ms
* * *
* * *

- ferg



-- "Fergie (Paul Ferguson)" <fergdawg@netzero.net> wrote:
WHOIS info leaves me with everything EXCEPT the warm and
fuzzies:


OrgName: Data393 Inc.
OrgID: DATA3
Address: 393 Inverness Parkway
City: Englewood
StateProv: CO
PostalCode: 80112-5855
Country: US

NetRange: 208.42.224.0 - 208.42.255.255
CIDR: 208.42.224.0/19
NetName: D393-DC-INVERNESS1
NetHandle: NET-208-42-224-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.DATA393.NET
NameServer: NS2.DATA393.NET
Comment:
RegDate: 2004-01-28
Updated: 2004-04-21

AbuseHandle: IPADM77-ARIN
AbuseName: IP Administration
AbusePhone: +1-303-268-1500
AbuseEmail: 

NOCHandle: IPADM77-ARIN
NOCName: IP Administration
NOCPhone: +1-303-268-1500
NOCEmail: ip-addr@data393.net

TechHandle: IPADM77-ARIN
TechName: IP Administration
TechPhone: +1-303-268-1500
TechEmail: ip-addr@data393.net

OrgTechHandle: IPADM77-ARIN
OrgTechName: IP Administration
OrgTechPhone: +1-303-268-1500
OrgTechEmail: ip-addr@data393.net

# ARIN WHOIS database, last updated 2005-08-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

- ferg


-- "Fergie (Paul Ferguson)" <fergdawg@netzero.net> wrote:

I fired this e-mail off before I dug into it deeper...

Duh. Late night, beer, etc.

The reverse lookup on the source addres reveals:

208.42.224.238:
performance-check-via-SAVVIS.THIS-IS_HARMLESS-It_is_a_Traceroute_or_Ping
_packet.BGP-route-control.data393.net

Now, the next question is why they're picking my home SBC DSL
host address (which I NAT out of) for this excerise...

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg@netzero.net or fergdawg@sbcglobal.net
 ferg's tech blog: http://fergdawg.blogspot.com/





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.