Re: your mail

[jerm <jerm () DGS NET>]

Could it be people hiding their nefarious probes within a net-wide
"cloud" of legitimate probes from load balancing systems?

On Thu, 26 Oct 2000, Abe Getchell wrote:

> Hello all,
>       I just heard back from http://www.insnet.net/ this morning.  Request
> and response below.
>
> -------------------------------------------------------------------------
> Hello,
>       We are seeing a massive amount of connections coming from
> 194.205.125.26 that are being dropped by our firewall.  The machine in
> question is attempting to establish TCP connections to port 1024 on a number
> of different machines inside our network.  I have included a
> (large - 351K) log from our firewall for a 24 hour period detailing this
> activity.  All times in the log are Eastern Standard Time here in the
> states.  If you have any questions or require any additional information,
> please feel free to contact me by e-mail or voice at the address or number
> listed in my sig.
>
> Thanks,
> Abe
>
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020x225
> E-mail  agetchel () kde state ky us
> Web     http://www.kde.state.ky.us/
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> The activity you describe is a result of our global load balancer. When a
> client behind your DNS server makes a request to one of our customer's
> sites, our load balancer has all of our sites send out an rtt packet to
> see which site is closest to the client's DNS server. The decision is then
> made as to which site the client's request will be sent. This is a
> function of Cisco's Distributed Director and in no way an attempt to disrupt
> your network. In
> fact, the clients requests are answered quicker and their web pages
> delivered much quicker as a result. The packet is sent out on port 1024 as
> many firewalls block port 53, which is the default port, as a safeguard
> against DNS zone transfers outside their network and we didn't want the
> impression we were tying to actually get into the DNS box on port 53. A
> handshake is not
> required by the Distributed Director, since the original request is from
> one of your clients. This is why the Distributed Director treats it as if
> it were an established connection, hence the ACK ....
>
> I hope this clarifies things. If you have any further questions, please
> direct them to networks () mirror-image com
>
> We apologize for any confusion.
> ----------------------------------------------------------------------------
>
>       This would make sense, especially because we're not seeing the SYNs,
> just the ACKs.  It also hits on exactly what Neil sent out to the list
> yesterday... even from the same company.  However, I'm not sure why I would
> be seeing 109 of these requests, in 4 seconds, at 3:09am EST.  It also
> doesn't explain why I would be seeing these requests from machines which are
> obviously 'home machines' on DSL lines and cable modems.  Maybe we are
> seeing two problems as one?
>
> Thanks,
> Abe
>
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020x225
> E-mail  agetchel () kde state ky us
> Web     http://www.kde.state.ky.us/