Security Incidents mailing list archives
Re: your mail
From: jerm <jerm () DGS NET>
Date: Thu, 26 Oct 2000 16:09:55 -0400
Could it be people hiding their nefarious probes within a net-wide "cloud" of legitimate probes from load balancing systems? On Thu, 26 Oct 2000, Abe Getchell wrote:
Hello all, I just heard back from http://www.insnet.net/ this morning. Request and response below. ------------------------------------------------------------------------- Hello, We are seeing a massive amount of connections coming from 194.205.125.26 that are being dropped by our firewall. The machine in question is attempting to establish TCP connections to port 1024 on a number of different machines inside our network. I have included a (large - 351K) log from our firewall for a 24 hour period detailing this activity. All times in the log are Eastern Standard Time here in the states. If you have any questions or require any additional information, please feel free to contact me by e-mail or voice at the address or number listed in my sig. Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/ --------------------------------------------------------------------------- --------------------------------------------------------------------------- The activity you describe is a result of our global load balancer. When a client behind your DNS server makes a request to one of our customer's sites, our load balancer has all of our sites send out an rtt packet to see which site is closest to the client's DNS server. The decision is then made as to which site the client's request will be sent. This is a function of Cisco's Distributed Director and in no way an attempt to disrupt your network. In fact, the clients requests are answered quicker and their web pages delivered much quicker as a result. The packet is sent out on port 1024 as many firewalls block port 53, which is the default port, as a safeguard against DNS zone transfers outside their network and we didn't want the impression we were tying to actually get into the DNS box on port 53. A handshake is not required by the Distributed Director, since the original request is from one of your clients. This is why the Distributed Director treats it as if it were an established connection, hence the ACK .... I hope this clarifies things. If you have any further questions, please direct them to networks () mirror-image com We apologize for any confusion. ---------------------------------------------------------------------------- This would make sense, especially because we're not seeing the SYNs, just the ACKs. It also hits on exactly what Neil sent out to the list yesterday... even from the same company. However, I'm not sure why I would be seeing 109 of these requests, in 4 seconds, at 3:09am EST. It also doesn't explain why I would be seeing these requests from machines which are obviously 'home machines' on DSL lines and cable modems. Maybe we are seeing two problems as one? Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/
Current thread:
- [no subject] Abe Getchell (Oct 27)
- [no subject] Mike Lewinski (Oct 27)
- [no subject] John Hall (Oct 28)
- Re: your mail Nick Phillips (Oct 28)
- Re: 1024 & DistributedDirector Mike Lewinski (Oct 28)
- Load Balancing Protocol (was Re: your mail) Crist Clark (Oct 31)
- Re: Load Balancing Protocol (was Re: your mail) Nick Phillips (Oct 31)
- QAZ hitting MS Pierre Vandevenne (Oct 28)
- [no subject] Mike Lewinski (Oct 27)
- Re: your mail jerm (Oct 28)