Firewall Wizards mailing list archives
Re: TCP port 7 traffic from DoubleClick
From: Albert Hopkins <ahopkins () dynacare com>
Date: Fri, 9 Jul 1999 21:44:57 -0500 (CDT)
On Wed, 7 Jul 1999, Neil Ratzlaff wrote:
At 15:54 07/05/99 -0700, Vern Paxson wrote:My firewall has been logging a persistent stream of TCP connection attempts to port 7 (echo) from six hosts belonging to DoubleClick. I would like to know if anyone else on the list has observed this? It started back on June 4 and has continued almost every day since then. The pattern of the traffic consists of 2-6 connection attempts from the addresses 199.95.207.91, 199.95.208.85, 207.239.35.71, 208.32.211.71, 209.67.38.49, & 209.67.38.50. Each host will attempt a connection within 30 seconds or so of the others. This pattern repeats 1-4 times a day. The reason that I do not just ignore the traffic is that the frequency of the attempts exceeds thresholds I have set on my firewall thereby generating a page. I can only speculate that they are trying to gauge the performance of their banner ad delivery. E-mail requests to DoubleClick have gone unanswered. I have reported the traffic to the abuse group of my ISP and they are looking in to it.Yep, we see the same thing, except the connection attempts come within milliseconds of each other, they come in pairs (two back-to-back echo connection attempts to the same destination from the same source, but with different source ports), and we get about 20 pairs a day from each of the different sources, to our name servers and one of our main ftp servers. It started here on June 4th, too. VernMine seem to come in batches of 15 in the same second, with source ports anywhere/everywhere above 32000. Each group contains at least 4 different source IP addresses from the list above.
We're getting it too. The target, 99% of the time, is our internal name server. Source ports are usually above 32000. Is there any way that they (DoubleClick) can be persuaded to cease and desist? -- Albert Hopkins Sr. Systems Specialist Dynacare, Inc ahopkins () dynacare com
Current thread:
- Re: TCP port 7 traffic from DoubleClick, (continued)
- Re: TCP port 7 traffic from DoubleClick C. Harald Koch (Jul 06)
- Re: TCP port 7 traffic from DoubleClick George Ross (Jul 07)
- Re: TCP port 7 traffic from DoubleClick Joseph S D Yao (Jul 08)
- Re: TCP port 7 traffic from DoubleClick dreamwvr (Jul 12)
- Re: TCP port 7 traffic from DoubleClick David Lang (Jul 08)
- Re: TCP port 7 traffic from DoubleClick C. Harald Koch (Jul 06)
- Re: TCP port 7 traffic from DoubleClick James Burns (Jul 07)
- Re: TCP port 7 traffic from DoubleClick C. Harald Koch (Jul 06)
- Re: TCP port 7 traffic from DoubleClick Joseph S D Yao (Jul 12)
- Re: TCP port 7 traffic from DoubleClick Vern Paxson (Jul 06)
- Re: TCP port 7 traffic from DoubleClick Neil Ratzlaff (Jul 09)
- Re: TCP port 7 traffic from DoubleClick Albert Hopkins (Jul 12)
- Re: TCP port 7 traffic from DoubleClick Neil Ratzlaff (Jul 09)
- Re: TCP port 7 traffic from DoubleClick Vern Paxson (Jul 07)
- RE: TCP port 7 traffic from DoubleClick Mason Begley (Jul 08)
- Re: TCP port 7 traffic from DoubleClick ark (Jul 12)
- Re: TCP port 7 traffic from DoubleClick R. DuFresne (Jul 12)
- Re: TCP port 7 traffic from DoubleClick Timothy K. Ewing (Jul 13)
- Re: TCP port 7 traffic from DoubleClick David Lang (Jul 14)