Weird Traffic from www.eyeblaster-bs.com

["Jeremy Junginger" <jj () act com>]

Good Afternoon,

I am seeing some strange traffic from www.eyeblaster-bs.com on both
network and host based IDS.  More specifically, I'm seeing TCP port 80
(http) traffic from multiple internal clients to
http://www.eyeblaster-bs.com/BurstingPipe and
http://www.eyeblastrer-bs.com/BurstingPipe.asp?param=% .  So far, it
looks like normal surfing....well...almost.  The strange thing is that I
have seen traffic that appears to be sourced from this server to clients
(dest port 80) on the Internal Network (which should be relatively
protected as they use Port Address Translation, not to mention that port
80 is not allowed to those client machines).  I've seen this URL
mentioned on several usage reports, but have not seen any explanations
about what it is.  Let me know what you think.

Here are some of the other networks that have seen traffic TO this
server:
http://www.olc.edu/~bbump/usage/ns1/7th/url_200211.html
http://network.ci.seekonk.ma.us/WebUsage/Library/url_200212.html
http://www.bsafehome.com/historyreport.asp


-Jeremy

These are not the packets you're looking for...You can go about your
business.....Move along....
:-)

----------------------------------------------------------------------------
----------------------------------------------------------------------------