PaulDotCom mailing list archives
Re: Port scan from facebook
From: Wynn Fenwick <wynn () fenwicks ca>
Date: Thu, 09 Aug 2012 13:15:34 -0400
Shaun, What IPS is it? "Coming from facebook" -- how is it determining that? What ports are being hit?Sometimes geolocation software will try multiple datagrams to your originating IP to assess the fastest data centre from which to deliver content to the requestor, but it is usually not spread across multiple TCP ports to my knowledge. The stimulus is likely a browser on your PC and your source IP is not known to Facebook (today).
Another explanation is that numerous outbound TCP connections from an ephemeral source port will generate return SYN-ACK packets coming back to those multiple source ports... so perhaps your "IPS" isn't very state-aware. If the destination ports are > 1024 and are in sequence, then its likely that.
Else it would be interesting to see the answers above. W On 07/08/2012 4:55 PM, Shaun Curry wrote:
I have noticed some weird "stuff" coming from facebook. My IPS blocked a "Probable Port Scan" from a facebook address going directly to an internal machine. Has anyone dealt with this before? How do I stop it without totally blocking facebook?Shaun _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Port scan from facebook Shaun Curry (Aug 07)
- Re: Port scan from facebook Wynn Fenwick (Aug 09)
- Re: Port scan from facebook Guillaume Ross (Aug 11)
- Re: Port scan from facebook Don Pandori (Aug 17)
- Re: Port scan from facebook Nicholas B. (Aug 17)
- Re: Port scan from facebook Guillaume Ross (Aug 11)
- Re: Port scan from facebook Wynn Fenwick (Aug 09)