Re: TCP connections to port 1024 - DDoS?

[Arrigo Triulzi <arrigo () NORTHSEA SEVENSEAS ORG>]

Neil Long scripsit:
|If you go take a look at www.mirror-image.com you will see that they have a
|large number of servers spread around geographically and my guess is that
|this scanning pattern is working out best routes, responses, etc.

Probably yet another of those load-balancing services.  I fear we will
just have to learn to live with these - think about the madness of
3DNS who, at a certain point at the beginning of the year, started
major ICMP traffic towards sites connecting to their servers.  Not
only, once a site was "registered" then it would continue to be
targeted.  I had a NATting firewall box which was receiving pings at 1
min intervals for three days before I managed to convince my ISP that
I did not really want our already saturated link to carry that traffic.

|As to how or why they are acquiring all these 'hosts which are running named
|of some type' raises a lot of questions the answers to which may be somewhat
|disturbing. I regard the packets as 'mostly harmless' but we all know where
|that can lead to.

They continue in the not necessarily correct assumption that DNS
servers are both geographically and in a network sense close to their
clients.  By measuring the path to the DNS server they hope to be able
to assign the closest server from their pool.  Because according to
them the Internet is highly dynamic they have to continuously test
your site.  Just why my link should change on an hourly basis remains
a mystery to me.  Talking sense into them, e.g. "you already have a
database, why don't you add to it a time interval parameter" has
already failed numerous times but we might be able to convince them...

I still think that, independently from the whole concept of performing
these scans which I disagree with, there are ways in which it could be
made much more efficient and useful on their part if they weren't so
lazy!

Arrigo