*scream* Cannot contact AT&T WorldNet NOC

Eric Wieling writes...

Someone apparently from a WorldNet dial-up account, calling in via
New Orleans and Dallas was sending large numbers of TCP connections
to port 1080. That's of course the default Socks Port. We don't run
socks. Never have. The connection attempts were blocked and logged.

The reasons could be:

  1) stupid user entered in the wrong address for a socks proxy
  2) Denial of Service attack

It if were #1, then why would it be coming from two different cities
and why sooooo many connections. If it was #2, why am I not seeing
more connections and why TCP? IT seems to me that it's kinda
pointless to spoof the source address on a TCP connection unless you
are *very* clever. Why only port 1080?

I've seen this scenario in the past, though in reverse (in other words
from the "attacker" side). Here's how it went.

Company X uses a proxy server for web access, which defaults to 1080.
They configured all their Netscape browsers to use the proxy server.
Apparently, one of the employees took home a copy of Netscape with the
configuration intact. It continued to work because the proxy server
also answered requests from outside the company X network.

This employee further duplicated that configured copy of Netscape and
passed it around to other people. Eventually a copy made it to company
Z where I once worked. Company Z did not use a proxy server, and did
allow outbound access to any port on the Internet. So these copies of
Netscape continued to work, using company X's proxy server.

Eventually company X discovered their proxy server was being "attacked"
or otherwise heavy loaded from the Internet. They either shut it down
or made it unreachable from the outside or it just plain crashed.

I was called in to diagnose why several stations could no longer reach
any web sites. I discovered this misconfiguration. Noting the pattern
involved and the possibility of a like scenario repeating, and the risks
that could also be involved, I set the firewall to block outgoing connects
to port 1080 anywhere on the Internet. That actually "broke" quite a
number of copies of Netscape, and had to result in a total in-house
clean-up of all browsers.


What you are seeing _might_ be as innocent as that. I don't know how
hard the browser keep trying to connect when the connection is refused
or not completed, but it is worth adding in to the list of scenarios
so you know what you might be dealing with if it does happen to be the

And good luck with contacting AT&T.

I'm going to be putting some thought into the issue of how to implement
and deploy a universal operations contact list that can be restricted to
the operational staff of ISPs and major businesses on the Internet. This
is something most everyone will want to have a restricted access list.

I don't bother to set my alarm clock anymore. Someone always pages
me before I need to wake up anyway.

boss: Why didn't you come into work yesterday?

answer: No one paged me. Was I needed?

Track down the people that were doing this and you'll probably find people
from a company that's using your address range on an internal network and
using SOCKS. My guess is that it's coming from users that are taking their
laptops home or on the road. Not that I've ever made that mistake
myself... :slight_smile:


I suspect that you are right. They appear to have stoped. However,
since I failed to find anyway of notifying them, next time it happens
they will have a copy of /bsd shoved back down the connection. It
isn't exactly nice, but I'm sure that they will actually notice that
something is actually wrong.