Security Incidents mailing list archives
Re: TCP connections to port 1024 - DDoS?
From: Arrigo Triulzi <arrigo () NORTHSEA SEVENSEAS ORG>
Date: Wed, 25 Oct 2000 19:01:13 +0100
Neil Long scripsit: |If you go take a look at www.mirror-image.com you will see that they have a |large number of servers spread around geographically and my guess is that |this scanning pattern is working out best routes, responses, etc. Probably yet another of those load-balancing services. I fear we will just have to learn to live with these - think about the madness of 3DNS who, at a certain point at the beginning of the year, started major ICMP traffic towards sites connecting to their servers. Not only, once a site was "registered" then it would continue to be targeted. I had a NATting firewall box which was receiving pings at 1 min intervals for three days before I managed to convince my ISP that I did not really want our already saturated link to carry that traffic. |As to how or why they are acquiring all these 'hosts which are running named |of some type' raises a lot of questions the answers to which may be somewhat |disturbing. I regard the packets as 'mostly harmless' but we all know where |that can lead to. They continue in the not necessarily correct assumption that DNS servers are both geographically and in a network sense close to their clients. By measuring the path to the DNS server they hope to be able to assign the closest server from their pool. Because according to them the Internet is highly dynamic they have to continuously test your site. Just why my link should change on an hourly basis remains a mystery to me. Talking sense into them, e.g. "you already have a database, why don't you add to it a time interval parameter" has already failed numerous times but we might be able to convince them... I still think that, independently from the whole concept of performing these scans which I disagree with, there are ways in which it could be made much more efficient and useful on their part if they weren't so lazy! Arrigo
Current thread:
- Re: Interesting reply, (continued)
- Re: Interesting reply H Carvey (Oct 13)
- Re: Interesting reply Keith Pachulski (Oct 16)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Aj Effin ReznoR (Oct 24)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Forrester, Mike (Oct 19)
- Re: Interesting reply Narins, Joshua (Oct 19)
- Re: Interesting reply Forrester, Mike (Oct 20)
- Re: Interesting reply Turpin, Jason (Oct 25)
- Re: Interesting reply Aj Effin ReznoR (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Neil Long (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 27)