*scream* Cannot contact AT&T WorldNet NOC

Phil Howard phil at charon.milepost.com
Mon Sep 29 14:24:37 UTC 1997

Eric Wieling writes...

> Someone apparently from a WorldNet dial-up account, calling in via
> New Orleans and Dallas was sending large numbers of TCP connections
> to port 1080.  That's of course the default Socks Port.  We don't run
> socks.  Never have.  The connection attempts were blocked and logged.
> The reasons could be:
>   1) stupid user entered in the wrong address for a socks proxy
>   2) Denial of Service attack
> It if were #1, then why would it be coming from two different cities
> and why sooooo many connections.  If it was #2, why am I not seeing
> more connections and why TCP?  IT seems to me that it's kinda
> pointless to spoof the source address on a TCP connection unless you
> are *very* clever.  Why only port 1080?

I've seen this scenario in the past, though in reverse (in other words
from the "attacker" side).  Here's how it went.

Company X uses a proxy server for web access, which defaults to 1080.
They configured all their Netscape browsers to use the proxy server.
Apparently, one of the employees took home a copy of Netscape with the
configuration intact.  It continued to work because the proxy server
also answered requests from outside the company X network.

This employee further duplicated that configured copy of Netscape and
passed it around to other people.  Eventually a copy made it to company
Z where I once worked.  Company Z did not use a proxy server, and did
allow outbound access to any port on the Internet.  So these copies of
Netscape continued to work, using company X's proxy server.

Eventually company X discovered their proxy server was being "attacked"
or otherwise heavy loaded from the Internet.  They either shut it down
or made it unreachable from the outside or it just plain crashed.

I was called in to diagnose why several stations could no longer reach
any web sites.  I discovered this misconfiguration.  Noting the pattern
involved and the possibility of a like scenario repeating, and the risks
that could also be involved, I set the firewall to block outgoing connects
to port 1080 anywhere on the Internet.  That actually "broke" quite a
number of copies of Netscape, and had to result in a total in-house
clean-up of all browsers.


What you are seeing _might_ be as innocent as that.  I don't know how
hard the browser keep trying to connect when the connection is refused
or not completed, but it is worth adding in to the list of scenarios
so you know what you might be dealing with if it does happen to be the

And good luck with contacting AT&T.

I'm going to be putting some thought into the issue of how to implement
and deploy a universal operations contact list that can be restricted to
the operational staff of ISPs and major businesses on the Internet.  This
is something most everyone will want to have a restricted access list.

> I don't bother to set my alarm clock anymore.  Someone always pages
> me before I need to wake up anyway.

boss:    Why didn't you come into work yesterday?

answer:  No one paged me.  Was I needed?

Phil Howard  +-------------------------------------------------------------+
KA9WGN       | House committee changes freedom bill to privacy invasion !! |
phil at      | more info:  http://www.news.com/News/Item/0,4,14180,00.html |
milepost.com +-------------------------------------------------------------+

More information about the NANOG mailing list