Vulnerability Development mailing list archives

Re: Unauthorized outgoing connect caught by ZA

From: Leonardo Serni <sernil () TIN IT>
Date: Sun, 15 Oct 2000 22:13:37 +0200

At 10.08 15/10/00 -0400, j nickson <jnickson () TOGETHER NET> wrote:

Case History:  Unauthorized request from workstation to connect to Akamai.

I saw some unusual activity so I stopped *all* net programs  and put Zone
Alarm (2.1.25) into LOCK.

A few *minutes* later I was rewarded with:

--------------------------
The firewall has blocked Internet access to a388.g.akamai.net
(63.160.183.233) (HTTP) from your computer.


Pardon me, but could it be that a (mostly) legitimate connection was severed
and the OS itself took charge of closing the sockets (after a suitable time)
so that Z.A. did actually intercept either a "dead connection" or a "anybody
home?" packet?

Something of the kind happens to me all the time when surfing over *sloooow*
web sites. Which are the majority, when seen from an Italian ISP line :-).

The traffic goes down, the Linux box drops the connection. After seconds, or
perhaps minutes, something on the Windows box awakens and sends out packets,
which are dropped.

Leonardo

Current thread:

Unauthorized outgoing connect caught by ZA j nickson (Oct 15)
- Re: Unauthorized outgoing connect caught by ZA Vitaly McLain (Oct 16)
- Re: Unauthorized outgoing connect caught by ZA Leonardo Serni (Oct 16)
- Re: Unauthorized outgoing connect caught by ZA Christopher Palow (Oct 16)
- Re: Unauthorized outgoing connect caught by ZA Joe (Oct 16)
  - Re: Unauthorized outgoing connect caught by ZA Scott D. Yelich (Oct 19)
  - Re: Unauthorized outgoing connect caught by ZA Jonathan Rickman (Oct 20)