Security Incidents mailing list archives
Re: Unusual port scan?
From: Eric Whitehill <eric () botbay net>
Date: Mon, 29 Dec 2003 08:56:34 -0500 (EST)
Hello: Those are actually Akamai servers designed to push out content.
From one of our Akamai contacts..
When you connect to a web-site your browser first contacts the content provider (i.e. www.apple.com) and downloads an html file. This file contains embedded URLs that tell your browser where to find all the objects necessary to finish displaying the page. In the case of an "Akamaized" site, these URLs point to the Akamai Network. Next, your browser makes connections to the URLs to obtain the images or streaming content. Again, for an "Akamaized" site, your browser will contact an Akamai server to obtain the requested items. Generally a TCP server listens on a well-known port < 1023 (for example port 80 for HTTP), and a TCP client connects from a port > 1023 assigned by the operating system. So a connection from port 80 of the Akamai server to a high numbered port on your machine, is a normal HTTP transaction. TCP connections are made this way so that multiple connections can be made between a well-known port on a server and a client. For example: 1.1.1.1 (you) 2.2.2.2 (Akamai) port 1243 <-------------+-----+----------> port 80 (HTTP) / / port 1244 <-----------/ / port 1245 <-----------------/ Each connection is identified by it's source ip, source port, destination ip, and destination port. More than likely you had AIM/Yahoo/some other form of software running on your system requesting this traffic. Since I am not at your computer, if I were you, a full system audit may be desired. -Eric
My router logs on my personal/home machine just started receiving with these scans: 12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 The scans supposedly came from: [Query: 81.52.250.105, Server: whois.ripe.net]
<snip> --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Unusual port scan? J Bailes (Dec 28)
- Re: Unusual port scan? Eric Whitehill (Dec 29)
- RE: Unusual port scan? Bojan Zdrnja (Dec 29)
- RE: Unusual port scan? Jerry Shenk (Dec 29)
- Re: Unusual port scan? Patrick Kremer (Dec 29)
- Re: Unusual port scan? Ed Budd (Dec 29)
- <Possible follow-ups>
- RE: Unusual port scan? Hamish webhosting.net.nz (Dec 29)
- RE: Unusual port scan? J Bailes (Dec 30)