Security Incidents mailing list archives
WebTV -- RE: Port probe on 6666
From: "PARKIN, MICHAEL M (PBI)" <mparkin () PBI NET>
Date: Fri, 28 Jul 2000 14:24:30 -0500
I know that a number of the larger services, AOL, WebTV, Prodigy, Etc., subcontract local numbers from local ISP's. As far as I know, they are all DHCP clients and get their IP number from the local ISP's DHCP server. In some cases, the WebTV (or other) user will call into a specific modem bank and receive an IP number from within the WebTV IP space. In other cases, they'll used a shared IP pool and reverse lookup would be whatever it is with the host ISP. (I haven't dug into this very far, so I'm obviously not 100% sure this is the way it works.) I suspect this "lingering connection" comes from cases where they are using a shared IP space. It could very well be exactly what WebTV claims. I know that lingering connections from on-line-game servers (Quake, Diablo, Unreal, Freespace, etc.) are very common in DHCP spaces. If the person who last had your IP was playing Evercrack, it may take a while for the server to realize that you aren't them. Mike Parkin Network Reliability Center SBC Internet Services 415.442.5108 -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Bill Pennington Sent: Thursday, July 27, 2000 2:45 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Port probe on 6666 It is my understanding that WebTV clients use standard ISPs for dial-up. I might be wrong since I have never touched one in my life. This would explain why you might have gotten an IP that was once used by a webTV client. There explination seems very resonable and I would think of no reason to doubt them (besides the fact that it is M$ :-) ) According to the e-mail you recieved port 6666 is used for WebTV notify service, whatever tht is. "Vachon, Scott" wrote:
I hope this is the right forum for posting this. I had an attempt to
connect
to one of my systems last night and I am interested in opinions/insight
from
the incidents group. Information captured: An attempt was made to connect to port 6666 from the below listed IP address: notify-108.iap.bryant.webtv.net 209.240.199.146 on port 6666 UDP port 36063. I contacted the security folks at WebTV (Microsoft) and received the following response: There is a common misunderstanding concerning UDP Port 6666 probes. When WebTV Clients obtain an IP Address they are registered with that IP-Address in our system and stay registered until a timeout threshold is reached or are re-registered with a different IP-Address (whichever comes first.) If another system (Non-WebTV) obtains this same IP-Address previously used by a WebTV Client it may receive packets from our notify service attempting to tell the WebTV client it has mail. *** Security Analyst Microsoft Questions: 1) What is port 6666 (UDP port 36063) used for, if anything ? 2) Since the affected host (non WebTV) is not on the WebTV network, why would WebTV assume my host had been assigned an IP used formerly by one of their hosts ? 3) Has anyone else had this same experience from a WebTV host or service ? Thanks in advance. Scott Vachon Network Implementations Engineer Computer Network Services Paymentech, Inc.
-- Bill Pennington Senior IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
Current thread:
- WebTV -- RE: Port probe on 6666 PARKIN, MICHAEL M (PBI) (Jul 29)