Security Incidents mailing list archives

Re: Large quantity of traffic from amazon.com - source_port 3000

From: dbrez () AMAZON COM (Dominique Brezinski)
Date: Sat, 15 Jan 2000 13:26:23 -0800


        I am a security engineer at amazon.com and responsible for responding to
external incidents.  Since the post does not provide specifics about the
packets received (i.e tcpdump -s 1500 -x), I can not say with certainty,
but I strongly believe what Peter is seeing is a by-product of a bug in our
load balancing devices!  The IP addresses that www.amazon.co.uk resolves to
are virtual.  The load balancer detects TCP connection setup requests
destined for the virtual addresses and establishes a session record.  The
TCP connection is then proxied to an appropriate web server (in this case
on port 3000).  It turns out that the load balancer prematurely removes the
session record during TCP connection tear down, sends a TCP Reset in
response to the last ACK that a client sends, thus causing the web server
to retransmit (many times) its final FIN/ACK segment to the client (sourced
from the *real* web server IP--that is why you see a different IP address
than www.amazon.co.uk).  Since the Reset sent by the load balancer already
had the effect of closing the TCP session on the client's end (or
firewall), the retransmitted FIN/ACKs (coming from a different source
address than www.amazon.co.uk) tend to set off port scan detectors :(
        We receive reports similar to this one on a regular basis since the last
revision of the load balancers.  Amazon.com is committed to the security of
its customers and the Internet.  We have no indication that the activity
Peter is experiencing is malicious, and we sincerely apologize for any
inconvenience this bug is causing our customers.  We have notified our
vendor, and they have acknowledged the problem.  We expect a fix shortly.
        In the future, please inform us prior to posting to a public forum.  You
can reach us at security () amazon com.  We make every attempt to respond in a
timely and appropriate manner.

Cheers!

---
Dominique Brezinski             Amazon.com Security
office (206) 266-6900           pager (888) 916-2747
8312 ADAB C5B2 1916 CBD8  150E 37CE 044E F45F B5E4

Current thread:

Re: Large quantity of traffic from amazon.com - source_port 3000 Chris (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Joseph Geyer (Jan 17)
- <Possible follow-ups>
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 15)
  - Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)
    - Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 18)
    - Re: Large quantity of traffic from amazon.com - source_port 3000 Robert Graham (Jan 19)
    - Socks port 1080 Heman Leopando (Jan 20)
    - Re: Socks port 1080 Russell Fulton (Jan 20)
    - I was scaned C. (Jan 20)
    - Re: I was scaned Robert Graham (Jan 22)
    - Re: I was scaned Jose Nazario (Jan 23)
    - Re: I was scaned Gene Harris (Jan 23)
    - Re: I was scaned Keith Owens (Jan 24)

(Thread continues...)