OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: TCP port 7 traffic from DoubleClick

Re: TCP port 7 traffic from DoubleClick

Vern Paxson (vernee.lbl.gov)
Mon, 05 Jul 1999 15:54:22 PDT

> My firewall has been logging a persistent stream of TCP connection attempts
> to port 7 (echo) from six hosts belonging to DoubleClick. I would like to
> know if anyone else on the list has observed this?
>
> It started back on June 4 and has continued almost every day since then.
> The pattern of the traffic consists of 2-6 connection attempts from the
> addresses 199.95.207.91, 199.95.208.85, 207.239.35.71, 208.32.211.71,
> 209.67.38.49, & 209.67.38.50. Each host will attempt a connection within
> 30 seconds or so of the others. This pattern repeats 1-4 times a day.
>
> The reason that I do not just ignore the traffic is that the frequency
> of the attempts exceeds thresholds I have set on my firewall thereby
> generating a page. I can only speculate that they are trying to gauge
> the performance of their banner ad delivery. E-mail requests to
> DoubleClick have gone unanswered. I have reported the traffic to the
> abuse group of my ISP and they are looking in to it.

Yep, we see the same thing, except the connection attempts come within
milliseconds of each other, they come in pairs (two back-to-back echo
connection attempts to the same destination from the same source, but with
different source ports), and we get about 20 pairs a day from each of
the different sources, to our name servers and one of our main ftp
servers.

It started here on June 4th, too.

                Vern

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:02 CDT