Security Incidents mailing list archives
Re: Large quantity of traffic from amazon.com - source_port 3000
From: dbrez () AMAZON COM (Dominique Brezinski)
Date: Sat, 15 Jan 2000 13:26:23 -0800
I am a security engineer at amazon.com and responsible for responding to external incidents. Since the post does not provide specifics about the packets received (i.e tcpdump -s 1500 -x), I can not say with certainty, but I strongly believe what Peter is seeing is a by-product of a bug in our load balancing devices! The IP addresses that www.amazon.co.uk resolves to are virtual. The load balancer detects TCP connection setup requests destined for the virtual addresses and establishes a session record. The TCP connection is then proxied to an appropriate web server (in this case on port 3000). It turns out that the load balancer prematurely removes the session record during TCP connection tear down, sends a TCP Reset in response to the last ACK that a client sends, thus causing the web server to retransmit (many times) its final FIN/ACK segment to the client (sourced from the *real* web server IP--that is why you see a different IP address than www.amazon.co.uk). Since the Reset sent by the load balancer already had the effect of closing the TCP session on the client's end (or firewall), the retransmitted FIN/ACKs (coming from a different source address than www.amazon.co.uk) tend to set off port scan detectors :( We receive reports similar to this one on a regular basis since the last revision of the load balancers. Amazon.com is committed to the security of its customers and the Internet. We have no indication that the activity Peter is experiencing is malicious, and we sincerely apologize for any inconvenience this bug is causing our customers. We have notified our vendor, and they have acknowledged the problem. We expect a fix shortly. In the future, please inform us prior to posting to a public forum. You can reach us at security () amazon com. We make every attempt to respond in a timely and appropriate manner. Cheers! --- Dominique Brezinski Amazon.com Security office (206) 266-6900 pager (888) 916-2747 8312 ADAB C5B2 1916 CBD8 150E 37CE 044E F45F B5E4
Current thread:
- Re: Large quantity of traffic from amazon.com - source_port 3000 Chris (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Joseph Geyer (Jan 17)
- <Possible follow-ups>
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Robert Graham (Jan 19)
- Socks port 1080 Heman Leopando (Jan 20)
- Re: Socks port 1080 Russell Fulton (Jan 20)
- I was scaned C. (Jan 20)
- Re: I was scaned Robert Graham (Jan 22)
- Re: I was scaned Jose Nazario (Jan 23)
- Re: I was scaned Gene Harris (Jan 23)
- Re: I was scaned Keith Owens (Jan 24)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)