|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: TCP port 7 traffic from DoubleClick
Albert Hopkins (ahopkins
dynacare.com)
Fri, 9 Jul 1999 21:44:57 -0500 (CDT)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Craig H. Rowland: "Re: Extreme Hacking"
- Previous message: Dwcprideaol.com: "Re: Extreme Hacking"
- Maybe in reply to: Budke: "Extreme Hacking"
- Next in thread: Albert Hopkins: "Re: TCP port 7 traffic from DoubleClick"
On Wed, 7 Jul 1999, Neil Ratzlaff wrote:
> At 15:54 07/05/99 -0700, Vern Paxson wrote:
> >> My firewall has been logging a persistent stream of TCP connection attempts
> >> to port 7 (echo) from six hosts belonging to DoubleClick. I would like to
> >> know if anyone else on the list has observed this?
> >>
> >> It started back on June 4 and has continued almost every day since then.
> >> The pattern of the traffic consists of 2-6 connection attempts from the
> >> addresses 199.95.207.91, 199.95.208.85, 207.239.35.71, 208.32.211.71,
> >> 209.67.38.49, & 209.67.38.50. Each host will attempt a connection within
> >> 30 seconds or so of the others. This pattern repeats 1-4 times a day.
> >>
> >> The reason that I do not just ignore the traffic is that the frequency
> >> of the attempts exceeds thresholds I have set on my firewall thereby
> >> generating a page. I can only speculate that they are trying to gauge
> >> the performance of their banner ad delivery. E-mail requests to
> >> DoubleClick have gone unanswered. I have reported the traffic to the
> >> abuse group of my ISP and they are looking in to it.
> >
> >Yep, we see the same thing, except the connection attempts come within
> >milliseconds of each other, they come in pairs (two back-to-back echo
> >connection attempts to the same destination from the same source, but with
> >different source ports), and we get about 20 pairs a day from each of
> >the different sources, to our name servers and one of our main ftp
> >servers.
> >
> >It started here on June 4th, too.
> >
> > Vern
> >
>
> Mine seem to come in batches of 15 in the same second, with source ports
> anywhere/everywhere above 32000. Each group contains at least 4 different
> source IP addresses from the list above.
We're getting it too. The target, 99% of the time, is our internal name
server. Source ports are usually above 32000.
Is there any way that they (DoubleClick) can be persuaded to cease and
desist?
-- Albert Hopkins Sr. Systems Specialist Dynacare, Inc ahopkins
- Next message: Craig H. Rowland: "Re: Extreme Hacking"
- Previous message: Dwcprideaol.com: "Re: Extreme Hacking"
- Maybe in reply to: Budke: "Extreme Hacking"
- Next in thread: Albert Hopkins: "Re: TCP port 7 traffic from DoubleClick"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:03 CDT