Taiwan again?

[Donald McLachlan <don () MAINFRAME DGRC CRC CA>]

Between 2:47 and 3:39 (GMT -0400) we received 232 of these:

02:47:58.314993 134.208.251.254 > AAA.AA.AAA.27: icmp: host AAA.AA.AAA.63 unreachable - admin prohibited filter (ttl 
235, id 44814)
                         4500 0038 af0e 0000 eb01 596f 86d0 fbfe
                         XXXX XX1b 030d 0765 0000 0000 4500 0060
                         0000 0000 7c11 b579 XXXX XX1b XXXX XX3f
                         0089 0089 004c

OK, it is Taiwan again, but what's the point?  Maybe a DoS against
134.208.251.254?



1) XXX.XX.XXX.27 is an unused address, so no stimulus packet came from there.
   If there was a stimulus packet, it was spoofed.

2) XXX.XX.XXX.63 is also an unused address.

3) When trying to ping/telnet/traceroute to 134.208.251.254 I get:

        12:12:02.301678 203.72.38.100 > XXX.XX.XXX.223: icmp:
                        host 134.208.251.254 unreachable (ttl 233, id 0)

   TTL does not match.  Either the source address of the unreachable
   message has been spoofed, or routing has changed slightly.

4) who are they anyway.

   134.208.251.254 = SEEDNet-TANet.edu.tw
   203.72.38.100 does not have a reverse DNS entry.

5) 'dig -x soa' reveals for both addresses have the same soa.

   ;; AUTHORITY RECORDS:
   38.72.203.in-addr.arpa.      7921    SOA     moevax.edu.tw.  sanger.moers4.edu.tw. (

   -----

   ;; AUTHORITY RECORDS:
   208.134.in-addr.arpa.        172800  SOA     moevax.edu.tw.  sanger.moers4.edu.tw. (

6) Arin (arin/apnic) for both addresses reveals:

   arin 134.208.251.254
   Ministry of Education Computer Center (NET-ACANET-TWN)
      12th Fl, 106, Hoping E. Road, Sec 2.
      Taiwan Republic of China, R.O.C
      TW

      Netname: ACANET-TWN
      Netblock: 134.208.0.0 - 134.208.255.255

      Coordinator:
         TANet, Administrator  (AT122-ARIN)  tanetadm () MOE EDU TW
         886-2-27377010

      Domain System inverse mapping provided by:

      MOEVAX.EDU.TW             140.111.1.2
      MOESUN.EDU.TW             140.111.1.20

      Record last updated on 14-Apr-1999.
      Database last updated on 18-Aug-2000 17:55:21 EDT.

   The ARIN Registration Services Host contains ONLY Internet
   Network Information: Networks, ASN's, and related POC's.
   Please use the whois server at rs.internic.net for DOMAIN related
   Information and whois.nic.mil for NIPRNET Information.

   -----

   obelix don> arin 203.72.38.100
   Asia Pacific Network Information Center (APNIC2)

so ...

   apnic 203.72.38.100

   % Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html

[ snip ]

>  inetnum:     203.72.38.0 - 203.72.38.255
>  netname:     T-NCTU.EDU-NET
>  descr:       CHIAO TUNG UNIVERSITY
>  descr:       1001, TA HSUEH RD.,
>  descr:       HEINCHU Taiwan
>  country:     TW
>  admin-c:     TCL5-TW
>  tech-c:      TCL5-TW
>  remarks:     This information has been partially mirrored by APNIC from
>  remarks:     TWNIC. To obtain more specific information, please use the
>  remarks:     TWNIC whois server at whois.twnic.net.
>  mnt-by:      TWNIC-AP
>  changed:     tseng () mail moe gov tw 19991005
>  source:      TWNIC

 [ snip ]

7) Just to see what it says (LOL):

   /usr/ucb/whois -h whois.twnic.net 203.72.38.100
   whois: connect: Connection refused




I've Cc'ed this message to tseng () mail moe gov tw, tanetadm () MOE EDU TW, and
sanger () moers4 edu tw.  Lets see what they have to say about this.