WebTV -- RE: Port probe on 6666

["PARKIN, MICHAEL M (PBI)" <mparkin () PBI NET>]

I know that a number of the larger services, AOL, WebTV, Prodigy, Etc.,
subcontract local numbers from local ISP's.  As far as I know, they are all
DHCP clients and get their IP number from the local ISP's DHCP server.  In
some cases, the WebTV (or other) user will call into a specific modem bank
and receive an IP number from within the WebTV IP space.  In other cases,
they'll used a shared IP pool and reverse lookup would be whatever it is
with the host ISP.  (I haven't dug into this very far, so I'm obviously not
100% sure this is the way it works.)

I suspect this "lingering connection" comes from cases where they are using
a shared IP space.  It could very well be exactly what WebTV claims.  I know
that lingering connections from on-line-game servers (Quake, Diablo, Unreal,
Freespace, etc.) are very common in DHCP spaces.  If the person who last had
your IP was playing Evercrack, it may take a while for the server to realize
that you aren't them.

Mike Parkin
Network Reliability Center
SBC Internet Services
415.442.5108


-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Bill Pennington
Sent: Thursday, July 27, 2000 2:45 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Port probe on 6666


It is my understanding that WebTV clients use standard ISPs for dial-up.
I might be wrong since I have never touched one in my life. This would
explain why you might have gotten an IP that was once used by a webTV
client.

There explination seems very resonable and I would think of no reason to
doubt them (besides the fact that it is M$ :-) )

According to the e-mail you recieved port 6666 is used for WebTV notify
service, whatever tht is.

"Vachon, Scott" wrote:
> I hope this is the right forum for posting this. I had an attempt to
connect
> to one of my systems last night and I am interested in opinions/insight
from
> the incidents group.
>
> Information captured:
>
> An attempt was made to connect to port 6666 from the below listed IP
> address:
>
> notify-108.iap.bryant.webtv.net  209.240.199.146 on port 6666 UDP port
> 36063.
>
> I contacted the security folks at WebTV (Microsoft) and received the
> following response:
>
> There is a common misunderstanding concerning UDP Port 6666 probes.
>
> When WebTV Clients obtain an IP Address they are registered with that
> IP-Address in our system and stay registered until a timeout threshold is
> reached or are re-registered with a different IP-Address (whichever comes
> first.) If another system (Non-WebTV) obtains this same IP-Address
> previously used by a WebTV Client it may receive packets from our notify
> service attempting to tell the WebTV client it has mail.
>
> ***
> Security Analyst
> Microsoft
>
> Questions:
>
> 1) What is port 6666 (UDP port 36063) used for, if anything ?
> 2) Since the affected host (non WebTV) is not on the WebTV network, why
> would WebTV assume my host had been assigned an IP used formerly by one of
> their hosts ?
> 3) Has anyone else had this same experience from a WebTV host or service ?
>
> Thanks in advance.
>
> Scott Vachon
> Network Implementations Engineer
> Computer Network Services
> Paymentech, Inc.

--


Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com