Nevin Nobles wrote: > > > From: Ng, Alex [SMTP:[EMAIL PROTECTED]] > > Sent: Monday, June 07, 1999 11:05 AM > > Subject: RE: Probable attack from your domain > > > > Dear Sir, > > > > We are currently using the product GlobalDispatch from Resonate Inc. > > for our Wide Area > > Data Distribution. Please see letter below for a detail explaination on > > this product. Thanks. > > > > Sincerely, > > > > Alex Ng > > > > > > -------------------- > > > > Hello Sir, > > > > Alex at Doubleclick asked us to work with you regarding this ticket. > > > > We have reason to believe that the reports you've received regarding > > these three machines being compromised is a misunderstanding as a result > > of our enterprise traffic management software: Global Dispatch. Global > > Dispatch is a WAN-based scheduler that makes it easy to place content > > close to geographically dispersed users and and intelligently directs > > requests > > to the best-suited Point of Presence (POP). > > > > In the course of determining the best suited POP, Global Dispatch preforms > > a > > latency measurement. This latency measurement is done by making a > > connection > > to the client DNS server on TCP port 7 and then dropping the connection. > > After > > the latency measurement has been done, the latency values are cached, and > > the > > IP of the most responsive POP is returned to the requesting machine. > > > > I hope this help clear up the confusion. We are looking into other ways to > > preform this latency mesurment, and hope we have not caused you any > > inconvenience. > > > > -- > > Resonate Technical Support <[EMAIL PROTECTED]> > > Resonate & Nevin, (cc'd to firewall list for constructive criticism) The GlobalDispatch technology connects to TCP port 7, which is not DNS as described above. I have it listed as the Echo protocol. May I suggest that you look into using ping or icmp for doing response times for general host response time. I don't log pings personally, and I doubt firewall admins do in general ( list feedback ??) Also try traceroute, as you could then get all the way up to the firewall in many instances before being blocked, and you would still have fulfilled your need. Again, I don't bother logging traceroutes either. In my original abuse report the product looked like an nmap attack and I'm sure you don't want it to be like that. :) Firewall list: am I just being uptight? Should I be logging incoming traffic on TCP port 7 and take it seriously? This the first technology I've seen make use of that port? Just a part of many very long probes looked like this: (1) Jun 7 04:06:55 router 27 deny: TCP from 199.95.207.91.36197 to 209.67.152.115.7 seq DBAD4582, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 199.95.208.85.63804 to 209.67.152.115.7 seq 3142B330, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 199.95.208.85.63805 to 209.67.152.115.7 seq 31446932, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 199.95.208.85.63806 to 209.67.152.115.7 seq 3146299F, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 207.239.35.71.61158 to 209.67.152.115.7 seq 480350F4, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 207.239.35.71.61159 to 209.67.152.115.7 seq 48042008, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 208.32.211.71.40422 to 209.67.152.115.7 seq BB9B26CB, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 208.32.211.71.40423 to 209.67.152.115.7 seq BB9B5785, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 209.67.38.50.35738 to 209.67.152.115.7 seq E7CA572B, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 209.67.38.50.35739 to 209.67.152.115.7 seq E7CADA96, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 209.67.38.50.35740 to 209.67.152.115.7 seq E7CAE010, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 209.67.38.50.35741 to 209.67.152.115.7 seq E7CAEC0E, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 209.67.38.50.35742 to 209.67.152.115.7 seq E7CCD5AA, ack 0x0, win 8760, SYN (1) Jun 7 04:06:55 router 27 deny: TCP from 209.67.38.50.35743 to 209.67.152.115.7 seq E7CD08A6, ack 0x0, win 8760, SYN -- Joshua ___________________________________________________________________ Joshua Chamas Chamas Enterprises Inc. NODEWORKS - web link monitoring Long Beach, CA 1-562-432-2469 http://www.nodeworks.com http://www.chamas.com - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
