Re: Port scan from facebook

[Wynn Fenwick <wynn () fenwicks ca>]

Shaun,

What IPS is it?
"Coming from facebook" -- how is it determining that?
What ports are being hit?

Sometimes geolocation software will try multiple datagrams to your originating 
IP to assess the fastest data centre from which to deliver content to the 
requestor, but it is usually not spread across multiple TCP ports to my 
knowledge. The stimulus is likely a browser on your PC and your source IP is not 
known to Facebook (today).

Another explanation is that numerous outbound TCP connections from an ephemeral 
source port will generate return SYN-ACK packets coming back to those multiple 
source ports... so perhaps your "IPS" isn't very state-aware. If the destination 
ports are > 1024 and are in sequence, then its likely that.

Else it would be interesting to see the answers above.

W


On 07/08/2012 4:55 PM, Shaun Curry wrote:
> I have noticed some weird "stuff" coming from facebook.  My IPS blocked a 
> "Probable Port Scan" from a facebook address going directly to an internal 
> machine.  Has anyone dealt with this before?  How do I stop it without totally 
> blocking facebook?
>
> Shaun
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com