IMesh Scans from 209.225.26.19 and 216.35.208.153

[Crist Clark <crist.clark () GLOBALSTAR COM>]

I was analysing some of the more strange traffic patterns from last weeks
logs when I came across these,

  23Feb2001  8:43:39 accept >qfe3  tcp 192.168.AAA.BBB:1436 -> 216.35.208.153:5000 44 (DDD.EEE.FFF.GGG:53596 -> 
216.35.208.153:5000)
  23Feb2001  8:43:50   drop >hme0  tcp 216.35.208.153:51851 -> DDD.EEE.FFF.GGG:4456 44
  23Feb2001  8:43:56   drop >hme0  tcp 216.35.208.153:51869 -> DDD.EEE.FFF.GGG:4329 44
  23Feb2001  8:44:02   drop >hme0  tcp 216.35.208.153:51882 -> DDD.EEE.FFF.GGG:4500 44
  23Feb2001  8:44:08   drop >hme0  tcp 216.35.208.153:51896 -> DDD.EEE.FFF.GGG:5000 44
  23Feb2001  8:44:14   drop >hme0  tcp 216.35.208.153:51916 -> DDD.EEE.FFF.GGG:5500 44
  23Feb2001  8:44:20   drop >hme0  tcp 216.35.208.153:51932 -> DDD.EEE.FFF.GGG:X11 44
  23Feb2001  8:44:25   drop >hme0  tcp 216.35.208.153:51948 -> DDD.EEE.FFF.GGG:6500 44
  23Feb2001  8:44:31   drop >hme0  tcp 216.35.208.153:51962 -> DDD.EEE.FFF.GGG:7000 44
  23Feb2001  8:44:36   drop >hme0  tcp 216.35.208.153:51972 -> DDD.EEE.FFF.GGG:7500 44
  23Feb2001  8:44:42   drop >hme0  tcp 216.35.208.153:51981 -> DDD.EEE.FFF.GGG:http 44

  23Feb2001 13:31:09 accept >qfe3  tcp 192.168.AAA.CCC:1459 -> 209.225.26.19:5000 44 (DDD.EEE.FFF.GGG:20653 -> 
209.225.26.19:5000)
  23Feb2001 13:31:13   drop >hme0  tcp 209.225.26.19:60461 -> DDD.EEE.FFF.GGG:4923 44
  23Feb2001 13:31:19   drop >hme0  tcp 209.225.26.19:60471 -> DDD.EEE.FFF.GGG:4329 44
  23Feb2001 13:31:25   drop >hme0  tcp 209.225.26.19:60482 -> DDD.EEE.FFF.GGG:4500 44
  23Feb2001 13:31:31   drop >hme0  tcp 209.225.26.19:60489 -> DDD.EEE.FFF.GGG:5000 44
  23Feb2001 13:31:38   drop >hme0  tcp 209.225.26.19:60499 -> DDD.EEE.FFF.GGG:5500 44
  23Feb2001 13:31:44   drop >hme0  tcp 209.225.26.19:60512 -> DDD.EEE.FFF.GGG:X11 44
  23Feb2001 13:31:50   drop >hme0  tcp 209.225.26.19:60523 -> DDD.EEE.FFF.GGG:6500 44
  23Feb2001 13:31:57   drop >hme0  tcp 209.225.26.19:60532 -> DDD.EEE.FFF.GGG:7000 44
  23Feb2001 13:32:03   drop >hme0  tcp 209.225.26.19:60542 -> DDD.EEE.FFF.GGG:7500 44
  23Feb2001 13:32:09   drop >hme0  tcp 209.225.26.19:60555 -> DDD.EEE.FFF.GGG:http 44

What we are seeing is an internal user connecting to port 5000 of the
external machine. The internal user's RFC1918 IP address is NATed. The
external IMesh "server" then replies with a scan of the NATed source
address (at least it looks like the internal client is not passing its
IP address through at the application layer).

I have managed to associate both of these with IMesh.com filesharing.
However, I have been unable to find information about how their protocol
actually works and whether these scans are "normal." Is the remote peer
trying to find out if we are sharing? Why do the two scans differ slightly,
but also look very similar?

Any pointers to more info would be appreciated. Thanks.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com