Security Incidents mailing list archives
Re: Large quantity of traffic from amazon.com - source_port 3000
From: jgeyer () POSTALINNOVATIONS COM (Joseph Geyer)
Date: Mon, 17 Jan 2000 20:37:11 -0500
It is most likely Java apps, for their advertising if it's the same port. Also, some big websites run a second webserver on a different port so they can test "real" traffic. This doesn't look like this is the case. I would put my money on the java applet advertising. Joseph Geyer Postal Innovations, Inc. 703-560-9790 http://www.postalinnovations.com ----- Original Message ----- From: "Chris" <tsx () NETSCAPE NET> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Saturday, January 15, 2000 2:25 PM Subject: Re: Large quantity of traffic from amazon.com - source_port 3000
Hi,A user here was innocently browsing amazon.com, when our firewall log here just starts filling up with traffic to his machine, from about 5 different IP addresses in a network owned by amazon.com (208.192.209.102) TCP traffic, ports all above 17xx, with source port of 3000. What stuck out is because the traffic was denied by the firewall, the hosts and traffic just kept on coming and coming...I've saw the same type of traffic trigger off firewall alerts on one of
our
customers firewalls. The traffic came from the below 3 ip's and was
targeted
to random ports > 1800 < 2000. The src port seems to be within the same
range
here. 208.192.209.204 208.192.209.203 208.192.209.201 When examining the outgoing logs I found that a user was browsing
amazon.com
at that time when those connections occured. I thought it's probably any
kind
of load or traffic balancer seeking knowledge ... But one would expect to
find
a running httpd on one of those ip's - nope. If anybody else can shed some light on what's happening ? Could this be
caused
by extremly slow connections as mentioned in
http://www.securityfocus.com/templates/archive.pike?list=19&date=1999-06-8&m sg=375FC499.C319ECAD () sover net
Cheers, Christoph Schneeberger SCS Telemedia cschnee \at\ telemedia.ch ____________________________________________________________________ Get your own FREE, personal Netscape WebMail account today at
http://webmail.netscape.com.
Current thread:
- Re: Large quantity of traffic from amazon.com - source_port 3000 Chris (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Joseph Geyer (Jan 17)
- <Possible follow-ups>
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Robert Graham (Jan 19)
- Socks port 1080 Heman Leopando (Jan 20)
- Re: Socks port 1080 Russell Fulton (Jan 20)
- I was scaned C. (Jan 20)
- Re: I was scaned Robert Graham (Jan 22)
- Re: I was scaned Jose Nazario (Jan 23)
- Re: I was scaned Gene Harris (Jan 23)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)