Questions

Should I block traffic???

+
0 Votes
Locked

Should I block traffic???

mr_t_wright
Ok so I was looking on the ASA at a location and when I logged into where it shows scanning attacks and usage, one IP address had 80% so I started to look into it, 69.164.5.146. there were others, google, bing, some college websites and so on but that ip didnt show up as anything so I asked another co worker to check it out and he did a nmap on it and below was the output, but my question is should I be worried? Should I block this address I dont know what I am looking at or for in this report below...


Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-05 14:02 CDT
NSE: Loaded 57 scripts for scanning.
Initiating Ping Scan at 14:02
Scanning 69.164.5.146 [4 ports]
Completed Ping Scan at 14:02, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:02
Completed Parallel DNS resolution of 1 host. at 14:02, 4.05s elapsed
Initiating SYN Stealth Scan at 14:02
Scanning cds759.dal.llnw.net (69.164.5.146) [1000 ports]
Discovered open port 80/tcp on 69.164.5.146
Discovered open port 53/tcp on 69.164.5.146
Discovered open port 1119/tcp on 69.164.5.146
Discovered open port 8000/tcp on 69.164.5.146
Discovered open port 8001/tcp on 69.164.5.146
Completed SYN Stealth Scan at 14:02, 13.22s elapsed (1000 total ports)
Initiating Service scan at 14:02
Scanning 5 services on cds759.dal.llnw.net (69.164.5.146)
Completed Service scan at 14:02, 11.34s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against cds759.dal.llnw.net (69.164.5.146)
Retrying OS detection (try #2) against cds759.dal.llnw.net (69.164.5.146)
Initiating Traceroute at 14:02
Completed Traceroute at 14:02, 0.04s elapsed
Initiating Parallel DNS resolution of 8 hosts. at 14:02
Completed Parallel DNS resolution of 8 hosts. at 14:02, 0.11s elapsed
NSE: Script scanning 69.164.5.146.
Initiating NSE at 14:02
Completed NSE at 14:02, 4.39s elapsed
Nmap scan report for cds759.dal.llnw.net (69.164.5.146)
Host is up (0.031s latency).
Not shown: 631 filtered ports, 364 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain
80/tcp open http EdgePrism 3.8.1.1 (Limelight Networks Content Delivery Network)
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Site doesn't have a title (text/html).
1119/tcp open http EdgePrism 3.8.1.1 (Limelight Networks Content Delivery Network)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
8000/tcp open http EdgePrism 3.8.1.1 (Limelight Networks Content Delivery Network)
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Site doesn't have a title (text/html).
8001/tcp open http EdgePrism 3.8.1.1 (Limelight Networks Content Delivery Network)
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Site doesn't have a title (text/html).
Device type: general purpose|specialized|PBX|firewall
Running (JUST GUESSING): FreeBSD 7.X|6.X|8.X|5.X (92%), OpenBSD 4.X (90%), VMware ESX Server 4.X (88%), Vodavi embedded (86%), Apple Mac OS X 10.5.X|10.6.X
(85%), Cisco AsyncOS 7.X (85%)
Aggressive OS guesses: FreeBSD 7.0-RELEASE (92%), FreeBSD 7.0-STABLE (92%), OpenBSD 4.0 (x86) (90%), FreeBSD 7.0-BETA4 - 7.0 (88%), VMware ESXi Server 4.1 (88%),
OpenBSD 4.1 - 4.7 (88%), OpenBSD 4.4 (88%), FreeBSD 6.3-RELEASE (88%), FreeBSD 7.2-RELEASE (88%), FreeBSD 8.0-RELEASE (88%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.000 days (since Tue Apr 5 14:02:42 2011)
Network Distance: 8 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Random positive increments

TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 9.15 ms 192.168.31.1
2 12.80 ms 10.0.0.1
3 19.13 ms 209-253-53-141.mcleodusa.net (209.253.53.141)
4 31.17 ms 209-253-61-1.ip.mcleodusa.net (209.253.61.1)
5 29.96 ms SO-5-1-0.DLLSTXHMH04JC04.paetec.net (209.252.156.169)
6 29.05 ms 209-253-159-3.ip.mcleodusa.net (209.253.159.3)
7 33.82 ms ge1-1.fr1.dal.llnw.net (206.223.118.123)
8 31.41 ms cds759.dal.llnw.net (69.164.5.146)

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.68 seconds
Raw packets sent: 3011 (134.176KB) | Rcvd: 456 (19.260KB)
  • +
    0 Votes
    CG IT

    .

    +
    0 Votes

    re

    mr_t_wright

    Ok, thanks guys for your input. My first thought was to just block and see if anyone complains that a site they use a lot can no longer be accessed or something of the sort lol. But I thought I would ask some of you who would be more familiar with this subject

    +
    0 Votes
    CG IT

    gotta admit, you opened yourself up for that one....

    you more or less answered your own question of "what should I do" by saying first thought was to just block and see who yells the loudest".

    +
    0 Votes

    Yes

    tech_ed

    I guess it depends on what that machine is serving. I have a ShoutCast server that I run for my own personal and my family's and friend's usage. I don't mind when others find my server and listen to my music, but there are some abusers, so on that machine I run IPSEC and if I find an abuser, I add that user to my IPSEC list of blocked IPs so they can't see *ANYTHING* on the machine anymore...and it looks like the vast majority of the abusers are on the APNIC side of the world!

    +
    0 Votes
    seanferd

    since the IP is supposed to belong to that CDN, I would look for incoming content. Packet capture like Wireshark will let you look at the packets to see what they are. Otherwise, Limelight is RFC-compliant and has an abuse@ address.

  • +
    0 Votes
    CG IT

    .

    +
    0 Votes

    re

    mr_t_wright

    Ok, thanks guys for your input. My first thought was to just block and see if anyone complains that a site they use a lot can no longer be accessed or something of the sort lol. But I thought I would ask some of you who would be more familiar with this subject

    +
    0 Votes
    CG IT

    gotta admit, you opened yourself up for that one....

    you more or less answered your own question of "what should I do" by saying first thought was to just block and see who yells the loudest".

    +
    0 Votes

    Yes

    tech_ed

    I guess it depends on what that machine is serving. I have a ShoutCast server that I run for my own personal and my family's and friend's usage. I don't mind when others find my server and listen to my music, but there are some abusers, so on that machine I run IPSEC and if I find an abuser, I add that user to my IPSEC list of blocked IPs so they can't see *ANYTHING* on the machine anymore...and it looks like the vast majority of the abusers are on the APNIC side of the world!

    +
    0 Votes
    seanferd

    since the IP is supposed to belong to that CDN, I would look for incoming content. Packet capture like Wireshark will let you look at the packets to see what they are. Otherwise, Limelight is RFC-compliant and has an abuse@ address.