Re: Unusual port scan?
From: Eric Whitehill (eric_at_botbay.net)
Date: 12/29/03
- Previous message: Hamish webhosting.net.nz: "RE: Unusual port scan?"
- In reply to: J Bailes: "Unusual port scan?"
- Next in thread: Bojan Zdrnja: "RE: Unusual port scan?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Dec 2003 08:56:34 -0500 (EST) To: J Bailes <jonas2@knology.net>
Hello:
Those are actually Akamai servers designed to push out content.
From one of our Akamai contacts..
When you connect to a web-site your browser first contacts the content
provider (i.e. www.apple.com) and downloads an html file. This file
contains embedded URLs that tell your browser where to find all the
objects necessary to finish displaying the page. In the case of an
"Akamaized" site, these URLs point to the Akamai Network. Next, your
browser makes connections to the URLs to obtain the images or streaming
content. Again, for an "Akamaized" site, your browser will contact an
Akamai server to obtain the requested items. Generally a TCP server
listens on a well-known port < 1023 (for example port 80 for HTTP), and
a TCP client connects from a port > 1023 assigned by the operating
system. So a connection from port 80 of the Akamai server to a high
numbered port on your machine, is a normal HTTP transaction. TCP
connections are made this way so that multiple connections can be made
between a well-known port on a server and a client. For example:
1.1.1.1 (you) 2.2.2.2 (Akamai)
port 1243 <-------------+-----+----------> port 80 (HTTP)
/ /
port 1244 <-----------/ /
port 1245 <-----------------/
Each connection is identified by it's source ip, source port,
destination ip, and destination port.
More than likely you had AIM/Yahoo/some other form of software running on
your system requesting this traffic. Since I am not at your computer, if
I were you, a full system audit may be desired.
-Eric
> My router logs on my personal/home machine just started receiving with these scans:
>
> 12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
>
>
> The scans supposedly came from:
>
> [Query: 81.52.250.105, Server: whois.ripe.net]
<snip>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Hamish webhosting.net.nz: "RE: Unusual port scan?"
- In reply to: J Bailes: "Unusual port scan?"
- Next in thread: Bojan Zdrnja: "RE: Unusual port scan?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
