PaulDotCom mailing list archives
Re: Port scan from facebook
From: Don Pandori <dpinfosecurity () gmail com>
Date: Fri, 17 Aug 2012 11:24:57 -0400
They must have some sort of lookup going on. I've accessed via Tor and got presented with some additional authentication pages. Don On 8/11/2012 1:21 PM, Guillaume Ross wrote:
I'm not a Facebook user so I can't easily test, but is it possible that Facebook has anti-spam and anti-botnet processes that will scan your IP in order to know if it is an open proxy? Maybe that happens when you have an office with NAT and multiple users coming from the same IP. Guillaume On 2012-08-09, at 1:15 PM, Wynn Fenwick <wynn () fenwicks ca <mailto:wynn () fenwicks ca>> wrote:Shaun, What IPS is it? "Coming from facebook" -- how is it determining that? What ports are being hit? Sometimes geolocation software will try multiple datagrams to your originating IP to assess the fastest data centre from which to deliver content to the requestor, but it is usually not spread across multiple TCP ports to my knowledge. The stimulus is likely a browser on your PC and your source IP is not known to Facebook (today). Another explanation is that numerous outbound TCP connections from an ephemeral source port will generate return SYN-ACK packets coming back to those multiple source ports... so perhaps your "IPS" isn't very state-aware. If the destination ports are > 1024 and are in sequence, then its likely that. Else it would be interesting to see the answers above. W On 07/08/2012 4:55 PM, Shaun Curry wrote:I have noticed some weird "stuff" coming from facebook. My IPS blocked a "Probable Port Scan" from a facebook address going directly to an internal machine. Has anyone dealt with this before? How do I stop it without totally blocking facebook? Shaun _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com <mailto:Pauldotcom () mail pauldotcom com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Port scan from facebook Shaun Curry (Aug 07)
- Re: Port scan from facebook Wynn Fenwick (Aug 09)
- Re: Port scan from facebook Guillaume Ross (Aug 11)
- Re: Port scan from facebook Don Pandori (Aug 17)
- Re: Port scan from facebook Nicholas B. (Aug 17)
- Re: Port scan from facebook Guillaume Ross (Aug 11)
- Re: Port scan from facebook Wynn Fenwick (Aug 09)