Well I have always known that ISP abuse departments are generally very lame. They never seem to bother returning any darn email that you send them. I recently had the need to try and find out what the heck an intermittent connection was doing. It was easily resolved the ISP but when I tried to surf to that IP address on port 80 there was nothing there. Strange. I thought my wife or son might have gotten me hacked 
. So I decided to send some packet logs to the ISP abuse department to investigate just why this IP addy with no web server was seeing SYN connect attempts by my computer.
07:52:41.875000 IP (tos 0x0, ttl 128, id 21722, offset 0, flags [DF], proto: TCP
(6), length: 48) 192.168.111.2.1374 > 209.123.81.159.80: S, cksum 0x727f (corre
ct), 3900559278:3900559278(0) win 65535 <mss 1460,nop,nop,sackOK>
0x0000: 4500 0030 54da 4000 8006 5328 c0a8 6f02 E..0T.@…S(..o.
0x0010: d17b 519f 055e 0050 e87d cfae 0000 0000 .{Q..^.P.}……
0x0020: 7002 ffff 727f 0000 0204 05b4 0101 0402 p…r………..
Well the abuse department never bothered to get back to me of course. Job well done ya bunch of idiot sticks. Nice to see your sad level of committment! Anyhow, I decided to run tcpdump.exe on my computer to try and find out what the heck was going on for as mentioned there was no web server at the IP addy. Well, it turned out to be much ado about nothing. It was Symantec dialing out for a/v updates.
07:52:41.906250 IP (tos 0x0, ttl 128, id 21728, offset 0, flags [DF], proto: TCP
(6), length: 126) 192.168.111.2.1375 > 209.123.81.159.80: P, cksum 0x5336 (inco
rrect (-> 0xdd11), 3653321399:3653321485(86) ack 3405129712 win 65535
0x0000: 4500 007e 54e0 4000 8006 52d4 c0a8 6f02 E..~T.@…R…o.
0x0010: d17b 519f 055f 0050 d9c1 42b7 caf6 27f0 .{Q.._.P..B…’.
0x0020: 5018 ffff 5336 0000 4745 5420 2f20 4854 P…S6..GET./.HT
0x0030: 5450 2f31 2e30 0d0a 5573 6572 2d41 6765 TP/1.0..User-Age
0x0040: 6e74 3a20 436f 6e6e 6563 7469 7669 7479 nt:.Connectivity
0x0050: 0d0a 486f 7374 3a20 7777 772e 7379 6d61 ..Host:.www.syma
0x0060: 6e74 6563 2e63 6f6d 0d0a 5072 6167 6d61 ntec.com..Pragma
0x0070: 3a20 6e6f 2d63 6163 6865 0d0a 0d0a :.no-cache….
The reason I didn’t see a webserver there is evident in the packet below.
07:52:41.921875 IP (tos 0x0, ttl 57, id 63965, offset 0, flags [DF], proto: TCP
(6), length: 215) 209.123.81.159.80 > 192.168.111.2.1375: P, cksum 0x3598 (corr
ect), 3405129712:3405129887(175) ack 3653321485 win 5840
0x0000: 4500 00d7 f9dd 4000 3906 f47d d17b 519f E…[email protected]..}.{Q.
0x0010: c0a8 6f02 0050 055f caf6 27f0 d9c1 430d ..o..P._..’…C.
0x0020: 5018 16d0 3598 0000 4854 5450 2f31 2e30 P…5…HTTP/1.0
0x0030: 2033 3031 204d 6f76 6564 2050 6572 6d61 .301.Moved.Perma
0x0040: 6e65 6e74 6c79 0d0a 5365 7276 6572 3a20 nently..Server:.
0x0050: 416b 616d 6169 4748 6f73 740d 0a43 6f6e AkamaiGHost..Con
0x0060: 7465 6e74 2d4c 656e 6774 683a 2030 0d0a tent-Length:.0..
0x0070: 4c6f 6361 7469 6f6e 3a20 6874 7470 3a2f Location:.http:/
0x0080: 2f77 7777 2e73 796d 616e 7465 632e 636f /www.symantec.co
0x0090: 6d2f 696e 6465 782e 6a73 700d 0a44 6174 m/index.jsp..Dat
0x00a0: 653a 2057 6564 2c20 3037 204e 6f76 2032 e:.Wed,.07.Nov.2
0x00b0: 3030 3720 3132 3a35 303a 3137 2047 4d54 007.12:50:17.GMT
0x00c0: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c ..Connection:.cl
0x00d0: 6f73 650d 0a0d 0a ose….
So I was happy to have figured out this mystery and realize I had not been hacked somehow. That said, would it have really been that hard for those lazy wankers at the abuse department to tell me that Symantec used to have a server there???
Technorati Tags: ISP, Abuse, Symantec, Tcpdump, Packet analysis, Packet