Home page logo
/

nanog logo nanog mailing list archives

Re: Reliable Cloud host ?
From: Valdis.Kletnieks () vt edu
Date: Mon, 27 Feb 2012 14:53:53 -0500

On Mon, 27 Feb 2012 14:02:04 EST, William Herrin said:

The net result is that when you switch the IP address of your server,
a percentage of your users (declining over time) will be unable to
access it for hours, days, weeks or even years regardless of the DNS
TTL setting.

Amen brother.

So just for grins, after seeing William's I set up a listener on an address
that had an NTP server on it many moons ago. As in the machine was shut down
around 2002/06/30 22:49 and we didn't re-assign the IP address ever since
*because* it kept getting hit with NTP packets..  Yes, a decade ago.

In the first 15 minutes, 234 different IP's have tried to NTP to that address.

And the winner for "most confused host", which in addition to trying to NTP also did this:

14:23:24.518136 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:23:57.395525 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)
14:24:28.536351 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:24:53.382719 IP 74.254.73.90.500 > 128.173.14.71.123: isakmp:
14:25:01.391268 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)
14:25:32.522313 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:26:05.399885 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)
14:26:36.529713 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:27:09.405922 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)
14:27:40.528381 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:28:13.393794 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)
14:28:20.971269 IP 74.254.73.90.69 > 128.173.14.71.123:  48 tftp-#6914
14:28:37.907704 IP 74.254.73.90.161 > 128.173.14.71.123:  [id?P/x/27]
14:28:44.525585 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:29:17.399784 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)
14:29:48.531804 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:30:21.398360 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)
14:30:52.530148 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:31:25.403931 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)
14:31:56.536594 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:32:29.404457 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)
14:33:00.534956 IP 74.254.73.90.68 > 128.173.14.71.123: BOOTP/DHCP, unknown (0xdb), length 48
14:33:33.402336 IP 74.254.73.90.53 > 128.173.14.71.123: 56064 [b2&3=0x6ee] [3494a] [0q] [307au] (48)

Somewhere in BellSouth territory, a machine desperately needs to be whacked upside the head.

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault