The same thing has been happining to me.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 11, 1999 12:42 PM
To: H D Moore
Cc: Roger Marquis; [EMAIL PROTECTED]
Subject: Re: Interesting traffic to tcp port 7
"H D Moore" <[EMAIL PROTECTED]> writes:
> What seemed to be happening was that my dialup machine was surfing
> on some web site that had images on some doubleclick.net
> advertisement server, when my machine tried to resolve the address
> (this machine is also the caching DNS server for my home network),
> seven or eight bbnplanet/doubleclick.net servers tried to initiate a
> zone transfer with my home machine. Even after the name finally
> resolved and the image was displayed, the probes continued for about
> 2 minutes. Maybe this Echo port probe is related?
I've been watching these for a couple of months--first zone transfer
attempts, now connections to the echo port. They've come from
doubleclick:
199.95.207.91 199.95.208.85
208.32.211.71
209.67.38.49 209.67.38.50 209.67.38.82 209.67.38.83
209.249.118.80 209.249.118.81 209.249.227.37
imgis:
216.111.249.42 216.111.249.52
207.211.106.198 207.211.106.93
exodus:
209.67.42.162 209.67.78.200 209.67.78.202
209.67.220.93 209.67.221.22
216.32.68.11 216.32.68.13
dell:
btdmz-drp.us.dell.com
dellgw.iij.net
rrdmz-drp.us.dell.com
others (some of these don't fit the same profile as the rest):
200.211.187.194 (embratel)
204.178.112.122 204.178.112.123 204.178.112.180 204.178.112.181 (uunet)
207.239.35.71 (@plan)
208.164.253.4.janusfunds.com 208.246.133.69 (Janus Funds)
63.65.248.67 (keytech)
afp-gw.iway.fr
afp2-gw.customer.alter.net
bigip.BigCharts.com
www.giganet.demon.co.uk
www.maestro.demon.nl
www.parafotos.demon.co.uk
The vast majority of the connections are to our caching DNS servers.
No one logs into those systems, the only traffic they originate is
DNS requests, and they aren't listed as primary or secondary for any
publicly accessible zones--so the only way they could have been
identified was by monitoring DNS requests. Very weird.
--
Dan Riley [EMAIL PROTECTED]
Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/>
"History teaches us that days like this are best spent in bed"
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
