Yes, us too. I got a response from the relevant admins,
where this is traffic generated from geographical latency
analyzing software, used for www page distribution.
I thought it was an odd probe too, and am not convinced
that they should be doing it this way. Their response is below.
-- Joshua
___________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NODEWORKS - web link monitoring Long Beach, CA 1-562-432-2469
http://www.nodeworks.com http://www.chamas.com
> From: Ng, Alex [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, June 07, 1999 11:05 AM
> Subject: RE: Probable attack from your domain
>
> Dear Sir,
>
> We are currently using the product GlobalDispatch from Resonate Inc.
> for our Wide Area
> Data Distribution. Please see letter below for a detail explaination on
> this product. Thanks.
>
> Sincerely,
>
> Alex Ng
>
>
> --------------------
>
> Hello Sir,
>
> Alex at Doubleclick asked us to work with you regarding this ticket.
>
> We have reason to believe that the reports you've received regarding
> these three machines being compromised is a misunderstanding as a result
> of our enterprise traffic management software: Global Dispatch. Global
> Dispatch is a WAN-based scheduler that makes it easy to place content
> close to geographically dispersed users and and intelligently directs
> requests
> to the best-suited Point of Presence (POP).
>
> In the course of determining the best suited POP, Global Dispatch preforms
> a
> latency measurement. This latency measurement is done by making a
> connection
> to the client DNS server on TCP port 7 and then dropping the connection.
> After
> the latency measurement has been done, the latency values are cached, and
> the
> IP of the most responsive POP is returned to the requesting machine.
>
> I hope this help clear up the confusion. We are looking into other ways to
> preform this latency mesurment, and hope we have not caused you any
> inconvenience.
>
> --
> Resonate Technical Support <[EMAIL PROTECTED]>
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Richard Day Call Center Manager
>
> Resonate, Inc.
> 465 Fairchild Drive
> Suite 115
> Mountain View, CA 94040
>
> Main Phone 650 967.6500
> Fax 650 967.6561
> Support Line 650 967.4800
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
Roger Marquis wrote:
>
> We recently began seeing an interesting pattern of tcp packets, from 6
> unique IPs, none with reverse dns, 5 or 6 packets per src IP to a single
> destination IP, port 7 (echo). These packets are all logged within a few
> seconds of each other which leads me to suspect that most of them could be
> spoofed. The "source" IPs are:
>
> 199.95.207.91 DOUBLECLICK.NET
> 199.95.208.85 DOUBLECLICK.NET
> 207.239.35.71 @PLAN (webplan.net)
> 208.32.211.71 DOUBLECLICK.NET
> 209.67.38.49 EXODUS.NET (no reverse dns in subnet)
> 209.67.38.50 EXODUS.NET (no reverse dns in subnet)
>
> Anyone else seen this traffic pattern?
>
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>207.239.35.71:64314
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>208.32.211.71:44619
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>199.95.208.85:45641
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>199.95.207.91:40861
> >Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>209.67.38.49:36966
> >...
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>207.239.35.71:33107
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>199.95.208.85:47895
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>199.95.207.91:42421
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>208.32.211.71:46178
> >Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>207.239.35.71:33108
> >...
> >cont. for several pages
>
> --
> Roger Marquis
> Roble Systems Consulting
> http://www.roble.com/
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
