[Dshield] F5 3DNS/Coldwater Creek

KeithTarrant@spamcop.net KeithTarrant at spamcop.net
Mon Oct 14 18:33:26 GMT 2002


My understanding is that proximity probes from these sites are for load
balancing.  Determining which of their servers is closest to a computer
trying to download something from them.

The load balancing is done from different IP addresses than the associated
browsing and from the server it choses to deliver the download, and it
doesn't always occur, which is what causes the confusion.

The idea is that the outsourcer will have duplicate files on servers
around the country and around the world.  So even if local ISPs don't
cache them, and even if customers have proxy cache turned off, we don't
have to burn up the cables from Bocca Ratton to Redmond every time a new
patch is put out, or a new rap video is released.  As well as Microsoft
updates, viewing real video files or downloading files from companies and
organizations who have outsourced some of their large file delivery
process can trigger this path determination process.

And a new company getting into the business will be trying to map which
servers best serve which IP addresses at different times of the day to
determine where new servers need to be placed, or for future reference
when downloads are requested.

For good public relations with their prospective paying customers (some of
us) these companies really should record why they scan each address so
they can give a reason other than, "read our website".  (Maybe have it as
a lookup on their website's contact page.)

"Read our website" is pretty lame.

- Keith
----- Original Message -----
From: "millerbn" <millerbn at chiba.dhs.org>
To: <list at dshield.org>
Sent: Sunday, October 13, 2002 10:03 AM
Subject: [Dshield] F5 3DNS/Coldwater Creek


> I know the F5 3DNS products are supposed to establish their metrics
through udp port
> 53 probes. I know that Microsoft uses them and scans for hours. So far
it all seems pretty
> reasonable, now enter Coldwater Creek Inc into the picture. Currently on
the second week
> (that's right two WEEKS) of their port 53 probes, on a daily basis. Our
ip space is small (4
> total) with a handfull of users, none remember surfing to their site.
Outbound logs even
> corroborate this as in two months only my visit to their site is logged;
I was curious to see
> just what they are. A polite but firm message to their technical contact
(listed in arin) gets
> me a reply, too bad it's a brochure about F5 products. Real helpful,
huh? Never expected
> a reply from Sprint or AT&T (their upstream providers) so I'm not
surprised there. Missed it
> before but there is a port 80 probe from one of their subnets, since it
was the same day I
> emailed their technical contact I'll assume it's him wanting to see our
website and not a
> code red or whatever. No public website anyway, so it's a moot point.
Have yet to hear
> from him about my reply to his 'explanation' (read F5 brochure), but
since it's the weekend -
> I can be patient. Just thought I'd be proactive and see what the list
thought of this. With the
> amount of time involved I'd hate to think I'm over-reacting but I guess
it's possible. I had
> assumed that patience would prevail and the probes would taper off,
doesn't look that way.
> Looks like the ip addresses in question have a number of records in the
db with a substantial
> amount of unique targets. Either no fightback sent or no reply received,
though I didn't check
> all of them.
>
> Comments, suggestions welcome.
>
> Example logs (previously submitted to the dshield db) that have been
trimmed for brevity and
> partially obfuscated just because...to clarify on the trim job; average
of three packets per
> instance reduced to the first only.
>
> UTC-5
>
> 2002-10-02 22:56:58.663865 204.120.131.30 26869 65.187.137.XXX 53 UDP
> 2002-10-02 22:57:04.008388 12.32.40.30 34142 65.187.137.XXX 53 UDP
> 2002-10-02 22:57:11.039172 12.32.39.7 59628 65.187.137.XXX 53 UDP
> 2002-10-03 08:24:38.417368 12.32.39.30 45978 65.187.137.XXX 53 UDP
> 2002-10-03 08:24:46.427529 12.32.40.7 7017 65.187.137.XXX 53 UDP
> 2002-10-03 08:26:12.065871 204.120.131.30 29782 65.187.137.XXX 53 UDP
> 2002-10-03 17:23:48.617494 12.32.40.30 38921 65.187.137.XXX 53 UDP
> 2002-10-03 17:23:49.589698 12.32.39.7 63958 65.187.137.XXX 53 UDP
> 2002-10-03 17:24:56.128916 204.120.131.6 38477 65.187.137.XXX 53 UDP
> 2002-10-04 02:50:08.450263 12.32.39.6 51775 65.187.137.XXX 53 UDP
> 2002-10-04 02:50:24.936689 12.32.40.30 41011 65.187.137.XXX 53 UDP
> 2002-10-04 02:51:22.853118 204.120.131.6 39383 65.187.137.XXX 53 UDP
> 2002-10-04 12:16:58.809568 12.32.39.7 4522 65.187.137.XXX 53 UDP
> 2002-10-04 12:17:08.352278 12.32.40.30 43315 65.187.137.XXX 53 UDP
> 2002-10-04 12:51:33.062801 204.120.131.5 33374 65.187.137.XXX 53 UDP
> 2002-10-04 21:38:12.769819 12.32.39.30 52535 65.187.137.XXX 53 UDP
> 2002-10-04 21:38:28.452537 12.32.40.30 45583 65.187.137.XXX 53 UDP
> 2002-10-04 22:14:22.379031 204.120.131.7 35975 65.187.137.XXX 53 UDP
> 2002-10-05 07:24:24.139526 12.32.40.30 47606 65.187.137.XXX 53 UDP
> 2002-10-05 07:26:52.963525 12.32.39.7 8205 65.187.137.XXX 53 UDP
> 2002-10-05 07:57:05.909519 204.120.131.30 44014 65.187.137.XXX 53 UDP
> 2002-10-05 16:58:20.815055 12.32.40.6 44553 65.187.137.XXX 53 UDP
> 2002-10-05 16:58:22.686455 12.32.39.30 55703 65.187.137.XXX 53 UDP
> 2002-10-05 17:32:16.604266 204.120.131.30 46555 65.187.137.XXX 53 UDP
> 2002-10-06 02:28:34.157299 12.32.39.7 11558 65.187.137.XXX 53 UDP
> 2002-10-06 02:34:55.142108 12.32.40.7 17172 65.187.137.XXX 53 UDP
> 2002-10-06 03:03:12.204398 204.120.131.30 48979 65.187.137.XXX 53 UDP
> 2002-10-06 12:04:56.927717 12.32.39.7 13083 65.187.137.XXX 53 UDP
> 2002-10-06 12:11:04.723204 12.32.40.7 18583 65.187.137.XXX 53 UDP
> 2002-10-06 12:35:52.492316 204.120.131.30 51434 65.187.137.XXX 53 UDP
> 2002-10-06 21:32:13.479465 12.32.39.30 60293 65.187.137.XXX 53 UDP
> 2002-10-06 21:38:40.344172 12.32.40.7 19991 65.187.137.XXX 53 UDP
> 2002-10-06 22:04:54.688497 204.120.131.7 40301 65.187.137.XXX 53 UDP
> 2002-10-07 07:01:23.722234 12.32.39.30 61836 65.187.137.XXX 53 UDP
> 2002-10-07 07:08:16.049976 12.32.40.7 21447 65.187.137.XXX 53 UDP
> 2002-10-07 08:05:02.813168 204.120.131.30 56529 65.187.137.XXX 53 UDP
> 2002-10-07 23:16:45.565022 12.32.39.6 3004 65.187.137.XXX 53 UDP
> 2002-10-07 23:59:04.268647 204.120.131.5 3063 65.187.137.XXX 53 UDP
> 2002-10-08 00:10:27.077316 12.32.40.6 2924 65.187.137.XXX 53 UDP
> 2002-10-08 18:14:08.019909 12.32.39.7 6698 65.187.137.XXX 53 UDP
> 2002-10-08 20:07:35.234820 12.32.40.7 6541 65.187.137.XXX 53 UDP
> 2002-10-08 20:29:03.879986 204.120.131.30 9208 65.187.137.XXX 53 UDP
> 2002-10-09 03:43:11.782774 12.32.39.7 8456 65.187.137.XXX 53 UDP
> 2002-10-09 05:37:26.634325 12.32.40.30 9699 65.187.137.XXX 53 UDP
> 2002-10-09 05:57:47.902673 204.120.131.30 11926 65.187.137.XXX 53 UDP
> 2002-10-09 13:10:27.815170 12.32.39.30 10835 65.187.137.XXX 53 UDP
> 2002-10-09 15:03:11.493538 12.32.40.30 12147 65.187.137.XXX 53 UDP
> 2002-10-09 15:22:47.417784 204.120.131.7 46449 65.187.137.XXX 53 UDP
> 2002-10-09 22:19:36.984584 12.32.39.30 12878 65.187.137.XXX 53 UDP
> 2002-10-10 17:32:01.741964 12.32.39.6 16473 65.187.137.XXX 53 UDP
> 2002-10-10 19:25:53.152651 12.32.40.30 19384 65.187.137.XXX 53 UDP
> 2002-10-10 19:44:46.386897 204.120.131.30 24094 65.187.137.XXX 53 UDP
> 2002-10-11 02:59:21.117170 12.32.39.30 19050 65.187.137.XXX 53 UDP
> 2002-10-11 04:54:05.922587 12.32.40.6 16353 65.187.137.XXX 53 UDP
> 2002-10-11 05:10:48.201544 204.120.131.6 62472 65.187.137.XXX 53 UDP
> 2002-10-11 12:27:36.717484 12.32.39.7 20126 65.187.137.XXX 53 UDP
> 2002-10-11 14:15:29.517759 12.32.40.30 24505 65.187.137.XXX 53 UDP
> 2002-10-11 14:34:39.024091 204.120.131.30 30578 65.187.137.XXX 53 UDP
> 2002-10-11 16:04:44.487376 204.120.131.254 57303 65.187.137.XXX 80 TCP S
> 2002-10-11 16:04:47.418478 204.120.131.254 57303 65.187.137.XXX 80 TCP S
> 2002-10-11 16:04:53.429669 204.120.131.254 57303 65.187.137.XXX 80 TCP S
> 2002-10-11 21:50:23.982705 12.32.39.30 23671 65.187.137.XXX 53 UDP
> 2002-10-11 23:42:05.592662 12.32.40.7 20773 65.187.137.XXX 53 UDP
> 2002-10-12 00:02:08.951260 204.120.131.7 52367 65.187.137.XXX 53 UDP
> 2002-10-12 07:22:54.512127 12.32.39.6 24731 65.187.137.XXX 53 UDP
> 2002-10-12 09:13:18.583088 12.32.40.30 29463 65.187.137.XXX 53 UDP
> 2002-10-12 09:32:47.370429 204.120.131.6 2584 65.187.137.XXX 53 UDP
> 2002-10-12 18:51:32.738393 12.32.40.6 23404 65.187.137.XXX 53 UDP
> 2002-10-12 19:09:18.972384 204.120.131.30 39996 65.187.137.XXX 53 UDP
> 2002-10-13 03:16:03.115835 12.32.39.6 28756 65.187.137.XXX 53 UDP
>
>





More information about the list mailing list