On Mon, 14 Jun 1999 [EMAIL PROTECTED] wrote:
> The same thing has been happining to me.
It's most probably some sort of load-balancing act attempting to get you
to the nearest host of a multi-homed site split between various colos.
Given the size of the sites in question, as well as Exodus, I'd put it at
a 99.9% certainty. Distributed Director, BigIP, or something similar
would be my bet.
We saw similar weirdness when trying to deploy some of those technologies
a couple of years ago. I recall tracking down a similar thing with AOL
once when one of their servers was leaking provate address-based
connections due to another similar scheme to load balance on the Web
server side.
Paul
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 11, 1999 12:42 PM
> To: H D Moore
> Cc: Roger Marquis; [EMAIL PROTECTED]
> Subject: Re: Interesting traffic to tcp port 7
>
>
> "H D Moore" <[EMAIL PROTECTED]> writes:
> > What seemed to be happening was that my dialup machine was surfing
> > on some web site that had images on some doubleclick.net
> > advertisement server, when my machine tried to resolve the address
> > (this machine is also the caching DNS server for my home network),
> > seven or eight bbnplanet/doubleclick.net servers tried to initiate a
> > zone transfer with my home machine. Even after the name finally
> > resolved and the image was displayed, the probes continued for about
> > 2 minutes. Maybe this Echo port probe is related?
>
> I've been watching these for a couple of months--first zone transfer
> attempts, now connections to the echo port. They've come from
>
> doubleclick:
>
> 199.95.207.91 199.95.208.85
> 208.32.211.71
> 209.67.38.49 209.67.38.50 209.67.38.82 209.67.38.83
> 209.249.118.80 209.249.118.81 209.249.227.37
>
> imgis:
>
> 216.111.249.42 216.111.249.52
> 207.211.106.198 207.211.106.93
>
> exodus:
>
> 209.67.42.162 209.67.78.200 209.67.78.202
> 209.67.220.93 209.67.221.22
> 216.32.68.11 216.32.68.13
>
> dell:
>
> btdmz-drp.us.dell.com
> dellgw.iij.net
> rrdmz-drp.us.dell.com
>
> others (some of these don't fit the same profile as the rest):
>
> 200.211.187.194 (embratel)
> 204.178.112.122 204.178.112.123 204.178.112.180 204.178.112.181 (uunet)
> 207.239.35.71 (@plan)
> 208.164.253.4.janusfunds.com 208.246.133.69 (Janus Funds)
> 63.65.248.67 (keytech)
> afp-gw.iway.fr
> afp2-gw.customer.alter.net
> bigip.BigCharts.com
> www.giganet.demon.co.uk
> www.maestro.demon.nl
> www.parafotos.demon.co.uk
>
>
> The vast majority of the connections are to our caching DNS servers.
> No one logs into those systems, the only traffic they originate is
> DNS requests, and they aren't listed as primary or secondary for any
> publicly accessible zones--so the only way they could have been
> identified was by monitoring DNS requests. Very weird.
>
> --
> Dan Riley [EMAIL PROTECTED]
> Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/>
> "History teaches us that days like this are best spent in bed"
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
