Re: "SRC=69.28.159."

• Previous message: Alexander Clouter: "Re: DSL line and local network - is it necessary to use 2 nics ?"
• In reply to: Newsbox: ""SRC=69.28.159.""
• Next in thread: Newsbox: "Re: "SRC=69.28.159.""
• Reply: Newsbox: "Re: "SRC=69.28.159.""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 10 Dec 2004 18:02:03 -0600

In article <69qdnQLHxNM67CTcRVn-hQ@acadia.net>, Newsbox wrote:

>I have a lot of log entries from the same netblock/domain, and want to
>know why.

A count of hits from the block doesn't provide clues. What ports (source,
destination), what addresses? What else is going on on your system(s) at
the time? Is there any reason you might be talking to those hosts?

>[root@localhost root]# host 69.28.159.7
>7.159.28.69.in-addr.arpa domain name pointer
>cdn-69-28-159-7.iad.llnw.net.
>
>[root@localhost root]# whois

Why are you running network applications as root?

[compton ~]$ whois -h whois.arin.net 69.28.159.7
[whois.arin.net]

OrgName: Limelight Networks, LLC
OrgID: LLNW
Address: 2220 W. 14th Street
City: Tempe
StateProv: AZ
PostalCode: 85281
Country: US

ReferralServer: rwhois://rwhois.llnw.net:4321/

[snip]

OrgAbuseHandle: LNAD-ARIN
OrgAbuseName: Limelight Networks Abuse Dept
OrgAbusePhone: +1-602-850-5095
OrgAbuseEmail: ipadmin@limelightnetworks.com

[snip]
[compton ~]$

An rwhois query seem to indicate that specific address is a corporate
address, rather than a customer.

>(me:) What is this? Maybe an ad agency that is connected to a site I use?

Possible - not enough details.

> Else why am I getting this for weeks on end? The firewall is obviously
>blocking it so I need not worry. Or should I? It seems to happen at the
>same time in the early morning here.

Again - not enough details. FWIW, the 'IAD' _suggests_ a Northern Virginia
location (IAD is the airport code for Washington Dulles, while LAX is Los
Angles, SJC is San Jose, and LGA is La Guardia in New York). As you are
posting from a Stentor address block, the 'cdn' in the hostname you looked
up _could_ refer to 'Canadian' but that's pure speculation.

>Should I call them? Would they care?

If this is all you show, no - don't bother wasting their/your time. If you
have some details of nefarious deeds (including relatively accurate times,
specific ports/addresses, etc), then it might be worth a shot. You might
also google for them in the news.admin.net-abuse.* mewsgroups.

>I'm changing computers and os's tomorrow (or next week?), so if this box
>is killed, it's ok for me. I don't yet have any reason to think it is
>killed. Just would like to understand wtf is going on here.

Look at the source and destination port numbers. Look at the source
addresses. Is there any pattern?

(Note: While I am near Phoenix, I have nothing to do with Limelight.
They are in the Phoenix telephone book, but not in the Yellow Pages,
and I get no response to http:www.llnw.net which forwards to
www.limelightnetworks.com - so you know as much as I do about them.)

        Old guy

• Previous message: Alexander Clouter: "Re: DSL line and local network - is it necessary to use 2 nics ?"
• In reply to: Newsbox: ""SRC=69.28.159.""
• Next in thread: Newsbox: "Re: "SRC=69.28.159.""
• Reply: Newsbox: "Re: "SRC=69.28.159.""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]