North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Verizon clients DOS own site?

  • From: Elkind_Rob
  • Date: Thu Feb 19 15:59:29 2004

Anyone else seeing this, it started up a few weeks ago.

We have a number of home users that VPN to our corporate network who are
using Verizon DSL as their Internet provider.  While they are connected to
the corporate network they are generating tons of hits to
'supportcenter.verizon.net' (206.46.187.54)

Here's a basic trace:

host.on.my.net -> 206.46.187.54 TCP 49980 > HTTP [ACK] 
host.on.my.net -> 206.46.187.54 HTTP GET /sbconfigservlet/sbconfigservlet
HTTP/1.1

206.46.187.54 -> host.on.my.net HTTP HTTP/1.1 404 Not found

Here's the text of the transaction:

host.on.my.net

GET /sbconfigservlet/sbconfigservlet HTTP/1.1
Accept: */*
Accept-Language: en
If-Modified-Since: Mon, 09 Feb 2004 22:49:47 GMT
User-Agent: Motive HTTP Client
Host: supportcenter.verizon.net
Connection: Keep-Alive
Cache-Control: no-cache

reply from 206.46.187.54

HTTP/1.1 404 Not found
Server: Netscape-Enterprise/6.0
Date: Tue, 10 Feb 2004 19:37:05 GMT
Content-type: text/html
Content-length: 292

<HEAD><META HTTP-EQUIV="Content-Type"
CONTENT="text/html;charset=ISO-8859-1"><TITLE>Not
Found</TITLE></HEAD><H1>Not Found</H1> The requested object does not exist
on this server. The link you followed is either outdated, inaccurate, or the
server has been instructed not to let you have it.


This repeates over and over again many times a second while the client is
connected.

My guess is that these client files are the ones that initiate the
conversation from the client:

C:\program files\verizon\online\supportcenter\bin\matcli.exe
C:\program files\verizon\online\supportcenter\bin\mpbtn.exe

I'm seeing millions of hits to this site from just our ~100 users using
Verizon per week.  I have to think that world wide, Verizon clients are
generating enough traffic to DOS themselves.

I've tried contacting Verizon via email but I haven't received a response
and their tech support had no information on this.  Although we're now
blocking this site and trying to clean up the clients, this is still
generation a lot of noise on our network. Any ideas on how to get Verizon to
take a look at this? 

Any input is welcome.

Thanks,

> Rob Elkind
	Information Security Engineer 
> 	EMC´┐Ż  		
> where information lives
> 
> Email:   [email protected]
>       
>