I have seen all sorts of wierd probes being launched from those addresses
over the course of the last 6 months, everything from DNS zone transfers to
bizzare ICMP ping routines. All of the patterns I have seen I forwarded to
some people at the NSWC U.S Navy Research Labs who confirmed that they have
been following these probes for almost 10 months now. After the first DNS
zone transfer attempts I did some investigation and discovered that all of
the source addresses were running the BigIP (F5 Networks - www.bigip.com )
web server load balancing software. I dug through the demo system at the F5
site trying to determine if there was a bug in thier software that was
causing this. After finding nothing at all that would explain the bizzare
activity I made a phone call to the tech guys at F5, they could not explain
it or duplicate it on thier development systems. About a month passed
before I started seeing another set of wierd ICMP probes coming from those
addresses again, this time I took a closer look at the IDS logs. What
seemed to be happening was that my dialup machine was surfing on some web
site that had images on some doubleclick.net advertisement server, when my
machine tried to resolve the address (this machine is also the caching DNS
server for my home network), seven or eight bbnplanet/doubleclick.net
servers tried to initiate a zone transfer with my home machine. Even after
the name finally resolved and the image was displayed, the probes continued
for about 2 minutes. Maybe this Echo port probe is related?
-HD
http://nlog.ings.com
http://ww.opensec.net
http://www.trinux.org
----- Original Message -----
From: Roger Marquis <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 07, 1999 12:16 AM
Subject: Interesting traffic to tcp port 7
> We recently began seeing an interesting pattern of tcp packets, from 6
> unique IPs, none with reverse dns, 5 or 6 packets per src IP to a single
> destination IP, port 7 (echo). These packets are all logged within a few
> seconds of each other which leads me to suspect that most of them could be
> spoofed. The "source" IPs are:
>
> 199.95.207.91 DOUBLECLICK.NET
> 199.95.208.85 DOUBLECLICK.NET
> 207.239.35.71 @PLAN (webplan.net)
> 208.32.211.71 DOUBLECLICK.NET
> 209.67.38.49 EXODUS.NET (no reverse dns in subnet)
> 209.67.38.50 EXODUS.NET (no reverse dns in subnet)
>
> Anyone else seen this traffic pattern?
>
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 207.239.35.71:64314
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 208.32.211.71:44619
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 199.95.208.85:45641
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 199.95.207.91:40861
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 209.67.38.49:36966
> >...
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 207.239.35.71:33107
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 199.95.208.85:47895
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 199.95.207.91:42421
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 208.32.211.71:46178
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7
from 207.239.35.71:33108
> >...
> >cont. for several pages
>
> --
> Roger Marquis
> Roble Systems Consulting
> http://www.roble.com/
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
