Firewall Wizards mailing list archives

RE: TCP port 7 traffic from DoubleClick

From: Mason Begley <mbegley () concentric com>
Date: Tue, 6 Jul 1999 15:37:40 -0700

Here is what I am getting on my firewall logs:

Jul  2 11:20:33.320 gw dnsd[292]: 516 Asked about Address for
m.doubleclick.net. 
-- server 199.95.208.26 sent (m.doubleclick.net. CNAME 
exnjld4avip.doubleclick.net.) - RR unrelated to previous CNAME - cache
poisoning 
attack?

This just started the last few days.

Mason Begley
Concentric Network

                -----Original Message-----
                From:   Vern Paxson [mailto:vern () ee lbl gov]
                Sent:   Monday, July 05, 1999 5:54 PM
                To:     Greg Nowicki
                Cc:     firewall-wizards () nfr net
                Subject:        Re: TCP port 7 traffic from DoubleClick

                > My firewall has been logging a persistent stream of TCP
connection attempts
                > to port 7 (echo) from six hosts belonging to DoubleClick.
I would like to
                > know if anyone else on the list has observed this? 
                > 
                > It started back on June 4 and has continued almost every
day since then.
                > The pattern of the traffic consists of 2-6 connection
attempts from the
                > addresses 199.95.207.91, 199.95.208.85, 207.239.35.71,
208.32.211.71,
                > 209.67.38.49, & 209.67.38.50.  Each host will attempt a
connection within
                > 30 seconds or so of the others.  This pattern repeats 1-4
times a day.
                > 
                > The reason that I do not just ignore the traffic is that
the frequency
                > of the attempts exceeds thresholds I have set on my
firewall thereby
                > generating a page.  I can only speculate that they are
trying to gauge
                > the performance of their banner ad delivery.  E-mail
requests to
                > DoubleClick have gone unanswered.  I have reported the
traffic to the
                > abuse group of my ISP and they are looking in to it.

                Yep, we see the same thing, except the connection attempts
come within
                milliseconds of each other, they come in pairs (two
back-to-back echo
                connection attempts to the same destination from the same
source, but with
                different source ports), and we get about 20 pairs a day
from each of 
                the different sources, to our name servers and one of our
main ftp
                servers.

                It started here on June 4th, too.

                                Vern

Current thread:

Re: TCP port 7 traffic from DoubleClick, (continued)
- - - Re: TCP port 7 traffic from DoubleClick Joseph S D Yao (Jul 08)
    - Re: TCP port 7 traffic from DoubleClick dreamwvr (Jul 12)
    - Re: TCP port 7 traffic from DoubleClick David Lang (Jul 08)
  - Re: TCP port 7 traffic from DoubleClick James Burns (Jul 07)
- Re: TCP port 7 traffic from DoubleClick C. Harald Koch (Jul 06)
  - Re: TCP port 7 traffic from DoubleClick Joseph S D Yao (Jul 12)
- Re: TCP port 7 traffic from DoubleClick Vern Paxson (Jul 06)
  - Re: TCP port 7 traffic from DoubleClick Neil Ratzlaff (Jul 09)
    - Re: TCP port 7 traffic from DoubleClick Albert Hopkins (Jul 12)
- Re: TCP port 7 traffic from DoubleClick Vern Paxson (Jul 07)
- RE: TCP port 7 traffic from DoubleClick Mason Begley (Jul 08)
- Re: TCP port 7 traffic from DoubleClick ark (Jul 12)
- Re: TCP port 7 traffic from DoubleClick R. DuFresne (Jul 12)
- Re: TCP port 7 traffic from DoubleClick Timothy K. Ewing (Jul 13)
  - Re: TCP port 7 traffic from DoubleClick David Lang (Jul 14)