[techtalk] Traceroutes in logs

Kath ranger at optonline.net
Sat Apr 28 22:32:07 EST 2001 

Everyday, sometimes several times a day, I get a traceroute to my Lotus Notes/Domino NT4 server (ick ick ick.  I didn't set it up).  

I've included a few log examples.

Paranoid Me Says:
Is someone using tracert to check for a hosts existence as a precursor to an attack?

Curious Me Says:
Is this some kind of internet host check thing to determine uptime/etc?

Apr 28 20:21:57 hwnet snort: Windows Traceroute: 216.200.119.243 -> 207.127.75.xx

Apr 28 07:26:36 hwnet snort: Windows Traceroute: 130.217.248.88 -> 207.127.75.xx

Apr 28 04:45:46 hwnet snort: Windows Traceroute: 216.200.119.243 -> 207.127.75.xx

Apr 27 21:55:22 hwnet snort: Windows Traceroute: 128.223.220.56 -> 207.127.75.xx

Apr 27 04:44:24 hwnet snort: Windows Traceroute: 128.223.220.56 -> 207.127.75.xx

Apr 26 21:34:02 hwnet snort: Windows Traceroute: 216.200.119.243 -> 207.127.75.xx

Apr 26 02:53:36 hwnet snort: Windows Traceroute: 130.217.248.88 -> 207.127.75.xx

Further investigation:

Now an arin.net whois says that 216.200.119.243 is registered to Abovenet, which is based in Cali.  My l33t tracert skills spits out that the machine location looks like somewhere in/near Seattle?  216.200.119.243 resolves to caida.org (specifically lhr.skitter.caida.org) and the caida.org webpage says something about "Tools and analyses promoting the engineering and maintenance of a robust, scalable global Internet infrastructure".  Hmm.  Looks normal there.  Just some weirdos collecting internet info =)

Next is: 130.217.248.88.  arin.net says 130.217.248.88 belongs to University of Waikato.  A DNS on the IP 130.217.248.88 reveals another caida.org address waikato.skitter.caida.org

Final one is: 128.223.220.56.  Resolves to uoregon.skitter.caida.org.  

I guess the moral is, don't get bent out of shape over simple tracerts.  Get even instead!  Freaking government robots after me!  Black helicopters!  Conspiracy!  Roswell!  Oswald was a patsy! ;)


- Kath the slightly paranoid (Only slightly!)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxchix.org/pipermail/techtalk/attachments/20010428/806fe6f3/attachment.xhtml

More information about the Techtalk mailing list