Security Incidents mailing list archives

Re: Large quantity of traffic from amazon.com - source_port 3000

From: jgeyer () POSTALINNOVATIONS COM (Joseph Geyer)
Date: Mon, 17 Jan 2000 20:37:11 -0500


It is most likely Java apps, for their advertising if it's the same port.
Also, some big websites run a second webserver on a different port so they
can test "real" traffic.  This doesn't look like this is the case.  I would
put my money on the java applet advertising.

Joseph Geyer

Postal Innovations, Inc.
703-560-9790

http://www.postalinnovations.com
----- Original Message -----
From: "Chris" <tsx () NETSCAPE NET>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Saturday, January 15, 2000 2:25 PM
Subject: Re: Large quantity of traffic from amazon.com - source_port 3000

Hi,

A user here was innocently browsing amazon.com,
when our firewall log here just starts filling up with
traffic to his machine, from about 5 different IP addresses
in a network owned by amazon.com (208.192.209.102)
TCP traffic, ports all above 17xx, with source port of 3000.

What stuck out is because the traffic was denied by the firewall,
the hosts and traffic just kept on coming and coming...


I've saw the same type of traffic trigger off firewall alerts on one of

our

customers firewalls. The traffic came from the below 3 ip's and was

targeted

to random ports > 1800 < 2000. The src port seems to be within the same

range

here.

208.192.209.204
208.192.209.203
208.192.209.201

When examining the outgoing logs I found that a user was browsing

amazon.com

at that time when those connections occured. I thought it's probably any

kind

of load or traffic balancer seeking knowledge ... But one would expect to

find

a running httpd on one of those ip's - nope.

If anybody else can shed some light on what's happening ? Could this be

caused

by extremly slow connections as mentioned in

http://www.securityfocus.com/templates/archive.pike?list=19&date=1999-06-8&m
sg=375FC499.C319ECAD () sover net


Cheers,
Christoph Schneeberger
SCS Telemedia

cschnee \at\ telemedia.ch

____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at

http://webmail.netscape.com.

Current thread:

Re: Large quantity of traffic from amazon.com - source_port 3000 Chris (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Joseph Geyer (Jan 17)
- <Possible follow-ups>
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 15)
  - Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)
    - Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 18)
    - Re: Large quantity of traffic from amazon.com - source_port 3000 Robert Graham (Jan 19)
    - Socks port 1080 Heman Leopando (Jan 20)
    - Re: Socks port 1080 Russell Fulton (Jan 20)
    - I was scaned C. (Jan 20)
    - Re: I was scaned Robert Graham (Jan 22)
    - Re: I was scaned Jose Nazario (Jan 23)
    - Re: I was scaned Gene Harris (Jan 23)

(Thread continues...)