Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Large quantity of traffic from amazon.com - source_port 3000

From: tsx () NETSCAPE NET (Chris)
Date: Sat, 15 Jan 2000 19:25:28 MET

Hi,


A user here was innocently browsing amazon.com,
when our firewall log here just starts filling up with
traffic to his machine, from about 5 different IP addresses
in a network owned by amazon.com (208.192.209.102)
TCP traffic, ports all above 17xx, with source port of 3000.

What stuck out is because the traffic was denied by the firewall,
the hosts and traffic just kept on coming and coming...


I've saw the same type of traffic trigger off firewall alerts on one of our
customers firewalls. The traffic came from the below 3 ip's and was targeted
to random ports > 1800 < 2000. The src port seems to be within the same range
here.

208.192.209.204
208.192.209.203
208.192.209.201

When examining the outgoing logs I found that a user was browsing amazon.com
at that time when those connections occured. I thought it's probably any kind
of load or traffic balancer seeking knowledge ... But one would expect to find
a running httpd on one of those ip's - nope.

If anybody else can shed some light on what's happening ? Could this be caused
by extremly slow connections as mentioned in 
375FC499.C319ECAD () sover 
net">http://www.securityfocus.com/templates/archive.pike?list=19&date=1999-06-8&msg=375FC499.C319ECAD () sover net</A>

Cheers,
Christoph Schneeberger
SCS Telemedia

cschnee \at\ telemedia.ch

____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
Previous By Date Next
Previous By Thread Next

Current thread: