Issues with Yahoo! Voice Chat

[Kristy Westphal <westpk () BUZZEO COM>]

Hello!

We seem to have encountered an issue with Yahoo! Voice chat, and I was
wondering if anyone else has seen this as well.  Here is the pattern we are
seeing:

Something within our network initiates a session with one of the various
voice chat servers hosted at Exodus.Net.    I say "something" because I have
tracked down a few of the people who are initiating the traffic (reliable
sources), and they say that they aren't even using voice chat or even chat!
What happens is that once the conversation is initiated (from either TCP
source port 5000 or 5001 to some 60000 port at Exodus), and then the
designated voice chat server comes back bombarding us with udp packets
(source port 5000, dest port some 60000 variation) for several hours.  It
acts like kind of a mini-DOS as the packets all get rejected at the
firewall.  The only initiating packet I can capture seems to be an TCP ACK
packet going to port 5001 on the voice chat server, nothing else.  Following
is a summary of some what we have seen over the past several weeks:

Source  First  Last  Type  Port  Protocol  # of Attempts
209.1.225.171 10/06/2000 13:27:48 10/06/2000 15:05:33 Denied Packet(s) 62458
udp 16115 209.1.225.171 10/06/2000 15:53:59 10/06/2000 16:28:24 Denied
Packet(s) 63218 udp 10351 209.1.225.115 10/06/2000 16:37:42 10/06/2000
18:20:42 Denied Packet(s) 64457 udp 22859 209.1.225.115 10/10/2000 13:43:50
10/10/2000 19:33:03 Denied Packet(s) 64378 udp 17856 209.1.225.171
10/11/2000 08:10:30 10/11/2000 08:23:24 Denied Packet(s) 64763 udp 606
209.1.225.115 10/11/2000 13:17:40 10/11/2000 16:28:44 Denied Packet(s) 62876
udp 41035 209.1.225.171 10/11/2000 17:31:10 10/11/2000 17:53:24 Denied
Packet(s) 61566 udp 8787
209.1.225.115 10/12/2000 07:50:51 10/12/2000 08:13:30 Denied Packet(s) 62403
udp 3913
209.1.225.115 10/12/2000 13:46:56 10/12/2000 14:43:05 Denied Packet(s) 63349
udp 5945
209.1.225.115 10/13/2000 11:59:00 10/13/2000 12:01:13 Denied Packet(s) 62182
udp 646
209.1.225.116 10/13/2000 12:01:38 10/13/2000 12:11:32 Denied Packet(s) 62781
udp 3146
209.1.225.116 10/13/2000 12:17:46 10/13/2000 13:11:57 Denied Packet(s) 64083
udp 4149
209.1.225.116 10/13/2000 15:08:45 10/13/2000 16:05:36 Denied Packet(s) 62804
udp 20527
209.1.225.115 10/13/2000 16:11:14 10/13/2000 16:45:46 Denied Packet(s) 63807
udp 6903
209.1.225.116 10/13/2000 17:00:35 10/13/2000 17:19:42 Denied Packet(s) 62605
udp 347
209.1.225.116 10/13/2000 17:31:23 10/13/2000 17:35:59 Denied Packet(s) 64925
udp 1874
209.1.225.116 10/16/2000 09:11:31 10/16/2000 09:22:52 Denied Packet(s) 63613
udp 3985
209.1.225.172 10/16/2000 09:25:17 10/16/2000 09:49:42 Denied Packet(s) 61046
udp 140
209.1.225.116 10/16/2000 10:07:20 10/16/2000 13:02:05 Denied Packet(s) 62057
udp 6935
209.1.225.172 10/16/2000 13:27:20 10/16/2000 13:44:51 Denied Packet(s) 64087
udp 1034
209.1.225.172 10/16/2000 14:17:22 10/16/2000 14:48:49 Denied Packet(s) 63723
udp 1578
209.1.225.172 10/16/2000 14:53:32 10/16/2000 15:00:35 Denied Packet(s) 61367
udp 1492
209.1.225.172 10/16/2000 15:06:23 10/16/2000 15:08:17 Denied Packet(s) 62517
udp 283
209.1.225.116 10/16/2000 15:12:54 10/16/2000 15:37:59 Denied Packet(s) 63423
udp 1290
209.1.225.173 10/16/2000 16:04:19 10/16/2000 17:23:53 Denied Packet(s) 63645
udp 1623
209.1.225.172 10/17/2000 15:14:32 10/17/2000 15:54:37 Denied Packet(s) 61906
udp 3069
209.1.225.173 10/17/2000 16:01:56 10/17/2000 16:55:04 Denied Packet(s) 64068
udp 6617
209.1.225.173 10/17/2000 14:14:18 10/17/2000 15:11:27 Denied Packet(s) 62985
udp 15076
209.1.225.173 10/17/2000 13:59:56 10/17/2000 14:11:34 Denied Packet(s) 63365
udp 4447

My questions are these:
1) Has anyone else experienced this problem? If so,
2) How did you effectively stop this type of traffic- or did you?

We don't want to completely block Yahoo Chat, nor do we necessarily want to
block these voice chat sites.  I have contacted Exodus, and they are saying
that this is normal traffic for a voice chat session.  My gut feeling is
that there is some sort of bug in Yahoo's software or other web site because

I can't confirm that we are even using it here (can't deny totally
either-but this behavior seems highly abnormal to me!!!)
Ideas?  Any help would be appreciated.

Thanks!!

Kristy Westphal
Security Administrator
Buzzeo

Buzzeo--Embracing the Internet