Firewall Wizards mailing list archives
RE: TCP port 7 traffic from DoubleClick
From: Mason Begley <mbegley () concentric com>
Date: Tue, 6 Jul 1999 15:37:40 -0700
Here is what I am getting on my firewall logs: Jul 2 11:20:33.320 gw dnsd[292]: 516 Asked about Address for m.doubleclick.net. -- server 199.95.208.26 sent (m.doubleclick.net. CNAME exnjld4avip.doubleclick.net.) - RR unrelated to previous CNAME - cache poisoning attack? This just started the last few days. Mason Begley Concentric Network -----Original Message----- From: Vern Paxson [mailto:vern () ee lbl gov] Sent: Monday, July 05, 1999 5:54 PM To: Greg Nowicki Cc: firewall-wizards () nfr net Subject: Re: TCP port 7 traffic from DoubleClick > My firewall has been logging a persistent stream of TCP connection attempts > to port 7 (echo) from six hosts belonging to DoubleClick. I would like to > know if anyone else on the list has observed this? > > It started back on June 4 and has continued almost every day since then. > The pattern of the traffic consists of 2-6 connection attempts from the > addresses 199.95.207.91, 199.95.208.85, 207.239.35.71, 208.32.211.71, > 209.67.38.49, & 209.67.38.50. Each host will attempt a connection within > 30 seconds or so of the others. This pattern repeats 1-4 times a day. > > The reason that I do not just ignore the traffic is that the frequency > of the attempts exceeds thresholds I have set on my firewall thereby > generating a page. I can only speculate that they are trying to gauge > the performance of their banner ad delivery. E-mail requests to > DoubleClick have gone unanswered. I have reported the traffic to the > abuse group of my ISP and they are looking in to it. Yep, we see the same thing, except the connection attempts come within milliseconds of each other, they come in pairs (two back-to-back echo connection attempts to the same destination from the same source, but with different source ports), and we get about 20 pairs a day from each of the different sources, to our name servers and one of our main ftp servers. It started here on June 4th, too. Vern
Current thread:
- Re: TCP port 7 traffic from DoubleClick, (continued)
- Re: TCP port 7 traffic from DoubleClick Joseph S D Yao (Jul 08)
- Re: TCP port 7 traffic from DoubleClick dreamwvr (Jul 12)
- Re: TCP port 7 traffic from DoubleClick David Lang (Jul 08)
- Re: TCP port 7 traffic from DoubleClick James Burns (Jul 07)
- Re: TCP port 7 traffic from DoubleClick C. Harald Koch (Jul 06)
- Re: TCP port 7 traffic from DoubleClick Joseph S D Yao (Jul 12)
- Re: TCP port 7 traffic from DoubleClick Vern Paxson (Jul 06)
- Re: TCP port 7 traffic from DoubleClick Neil Ratzlaff (Jul 09)
- Re: TCP port 7 traffic from DoubleClick Albert Hopkins (Jul 12)
- Re: TCP port 7 traffic from DoubleClick Neil Ratzlaff (Jul 09)
- Re: TCP port 7 traffic from DoubleClick Vern Paxson (Jul 07)
- RE: TCP port 7 traffic from DoubleClick Mason Begley (Jul 08)
- Re: TCP port 7 traffic from DoubleClick ark (Jul 12)
- Re: TCP port 7 traffic from DoubleClick R. DuFresne (Jul 12)
- Re: TCP port 7 traffic from DoubleClick Timothy K. Ewing (Jul 13)
- Re: TCP port 7 traffic from DoubleClick David Lang (Jul 14)