Victor, I believe you are correct. After reading the banter going back and forth, and recalling previous posts (about that DAMN X10 popup) I reviewed my log. The log entries are bursts of hundreds in the same few seconds. Must have been while I was on MyYahoo. I remeber getting then X10 and Casino popups. Is there anyway we can reverse "SPAM" them to stop this ridiculus traffic?
Read this: http://www.cisco.com/warp/public/cc/pd/cxsr/dd/tech/dd_wp.htm This and another appliance called BIG/Ip could very well be the source of this traffic. Here is another one about an ISP using this technologu... http://lists.insecure.org/incidents/2001/May/0096.html And then to close the loop, The above ISP is using the cisco product... http://lists.insecure.org/incidents/2001/May/0159.html Nice huh? Sean -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Victor McAllisteer Sent: Sunday, December 09, 2001 8:30 PM To: leaf-user Subject: Re: [Leaf-user] What is This Matthew Schalit wrote: > Victor McAllisteer wrote: > > > > > This is some crazy method of geographic load balancing. A whole lot of > > boxes use TCP port 53 simultaneously to find out what part of the world. > > Victor, wouldn't the load balancing we've seen over the > last months that hits port 53 by SYN traffic? Why > are all his log entries refering to non-SYN traffic, > i.e. responses? > > Matthew There was a lot of list traffic back in May on the LRP list concerning these port 53 weirdness. My understanding is that tcp port 53 to port 53 is usually a zone transfer. Leaf boxes running tiny DNS will not respond to tcp queries. I believe a number of list members analyzed this stuff using resources beyond just the log entries. It comes all at once from many different IPs. The same IPs always show up repeatedly in the space of a few seconds.. They fill the logs - often with 600 DENYs in a period of 10 seconds or less. Someone traced the ownership of the machines. Apparently it is some sort of proprietary method of determining which machine you are closest to geographically so they can serve up some pop up ad efficiently (for them). DENY (no response) doesn't seem to prevent the pop up ads. Perhaps if they can't get you to send them back a packet, they end up serving the pop up from some default machine. Those who pay for this "technology" should have their head examined. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
