Security Incidents mailing list archives

Re: Unusual port scan?

From: Eric Whitehill <eric () botbay net>
Date: Mon, 29 Dec 2003 08:56:34 -0500 (EST)

Hello:

Those are actually Akamai servers designed to push out content.

From one of our Akamai contacts..


When you connect to a web-site your browser first contacts the content
provider (i.e. www.apple.com) and downloads an html file.  This file
contains embedded URLs that tell your browser where to find all the
objects necessary to finish displaying the page.  In the case of an
"Akamaized" site, these URLs point to the Akamai Network.  Next, your
browser makes connections to the URLs to obtain the images or streaming
content.  Again, for an "Akamaized" site, your browser will contact an
Akamai server to obtain the requested items.  Generally a TCP server
listens on a well-known port < 1023 (for example port 80 for HTTP), and
a TCP client connects from a port > 1023 assigned by the operating
system.  So a connection from port 80 of the Akamai server to a high
numbered port on your machine, is a normal HTTP transaction.  TCP
connections are made this way so that multiple connections can be made
between a well-known port on a server and a client.  For example:

1.1.1.1 (you)                               2.2.2.2 (Akamai)
port 1243 <-------------+-----+---------->  port 80 (HTTP)
                       /      /
port 1244 <-----------/      /
port 1245 <-----------------/


Each connection is identified by it's source ip, source port,
destination ip, and destination port.

More than likely you had AIM/Yahoo/some other form of software running on
your system requesting this traffic.  Since I am not at your computer, if
I were you, a full system audit may be desired.

-Eric

My router logs on my personal/home machine just started receiving with these scans:

12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800


The scans supposedly came from:

[Query: 81.52.250.105, Server: whois.ripe.net]

<snip>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Unusual port scan? J Bailes (Dec 28)
- Re: Unusual port scan? Eric Whitehill (Dec 29)
- RE: Unusual port scan? Bojan Zdrnja (Dec 29)
- RE: Unusual port scan? Jerry Shenk (Dec 29)
- Re: Unusual port scan? Patrick Kremer (Dec 29)
- Re: Unusual port scan? Ed Budd (Dec 29)
- <Possible follow-ups>
- RE: Unusual port scan? Hamish webhosting.net.nz (Dec 29)
- RE: Unusual port scan? J Bailes (Dec 30)