[Dshield] F5 3DNS/Coldwater Creek

millerbn millerbn at chiba.dhs.org
Tue Oct 15 19:05:37 GMT 2002


I'm aware of what it was for, it was the two weeks part that bugged me.

Yes, I thought it was lame too. I guess I was finally able to get through to 
them that it was a configuration error and not an isolated incident or by 
design. Quoting from his message

>On the next probing cycle beginning tomorrow you should no longer see any
>probing.

Either that or calling the dude at home scared the sh*t out of him. :)


On Mon, 14 Oct 2002 13:33:26 -0500, you wrote:

>My understanding is that proximity probes from these sites are for load
>balancing.  Determining which of their servers is closest to a computer
>trying to download something from them.
>
>The load balancing is done from different IP addresses than the associated
>browsing and from the server it choses to deliver the download, and it
>doesn't always occur, which is what causes the confusion.
>
>The idea is that the outsourcer will have duplicate files on servers
>around the country and around the world.  So even if local ISPs don't
>cache them, and even if customers have proxy cache turned off, we don't
>have to burn up the cables from Bocca Ratton to Redmond every time a new
>patch is put out, or a new rap video is released.  As well as Microsoft
>updates, viewing real video files or downloading files from companies and
>organizations who have outsourced some of their large file delivery
>process can trigger this path determination process.
>
>And a new company getting into the business will be trying to map which
>servers best serve which IP addresses at different times of the day to
>determine where new servers need to be placed, or for future reference
>when downloads are requested.
>
>For good public relations with their prospective paying customers (some of
>us) these companies really should record why they scan each address so
>they can give a reason other than, "read our website".  (Maybe have it as
>a lookup on their website's contact page.)
>
>"Read our website" is pretty lame.
>
>- Keith
>----- Original Message -----
>From: "millerbn" <millerbn at chiba.dhs.org>
>To: <list at dshield.org>
>Sent: Sunday, October 13, 2002 10:03 AM
>Subject: [Dshield] F5 3DNS/Coldwater Creek
>
>
>> I know the F5 3DNS products are supposed to establish their metrics
>through udp port
>> 53 probes. I know that Microsoft uses them and scans for hours. So far
>it all seems pretty
>> reasonable, now enter Coldwater Creek Inc into the picture. Currently on
>the second week
>> (that's right two WEEKS) of their port 53 probes, on a daily basis. Our
>ip space is small (4
>> total) with a handfull of users, none remember surfing to their site.
>Outbound logs even
>> corroborate this as in two months only my visit to their site is logged;
>I was curious to see
>> just what they are. A polite but firm message to their technical contact
>(listed in arin) gets
>> me a reply, too bad it's a brochure about F5 products. Real helpful,
>huh? Never expected
>> a reply from Sprint or AT&T (their upstream providers) so I'm not
>surprised there. Missed it
>> before but there is a port 80 probe from one of their subnets, since it
>was the same day I
>> emailed their technical contact I'll assume it's him wanting to see our
>website and not a
>> code red or whatever. No public website anyway, so it's a moot point.
>Have yet to hear
>> from him about my reply to his 'explanation' (read F5 brochure), but
>since it's the weekend -
>> I can be patient. Just thought I'd be proactive and see what the list
>thought of this. With the
>> amount of time involved I'd hate to think I'm over-reacting but I guess
>it's possible. I had
>> assumed that patience would prevail and the probes would taper off,
>doesn't look that way.
>> Looks like the ip addresses in question have a number of records in the
>db with a substantial
>> amount of unique targets. Either no fightback sent or no reply received,
>though I didn't check
>> all of them.
>>
>> Comments, suggestions welcome.
>>
>> Example logs (previously submitted to the dshield db) that have been
>trimmed for brevity and
>> partially obfuscated just because...to clarify on the trim job; average
>of three packets per
>> instance reduced to the first only.
>>
>> UTC-5
>>
>> 2002-10-02 22:56:58.663865 204.120.131.30 26869 65.187.137.XXX 53 UDP
>> 2002-10-02 22:57:04.008388 12.32.40.30 34142 65.187.137.XXX 53 UDP
>> 2002-10-02 22:57:11.039172 12.32.39.7 59628 65.187.137.XXX 53 UDP
>> 2002-10-03 08:24:38.417368 12.32.39.30 45978 65.187.137.XXX 53 UDP
>> 2002-10-03 08:24:46.427529 12.32.40.7 7017 65.187.137.XXX 53 UDP
>> 2002-10-03 08:26:12.065871 204.120.131.30 29782 65.187.137.XXX 53 UDP
>> 2002-10-03 17:23:48.617494 12.32.40.30 38921 65.187.137.XXX 53 UDP
>> 2002-10-03 17:23:49.589698 12.32.39.7 63958 65.187.137.XXX 53 UDP
>> 2002-10-03 17:24:56.128916 204.120.131.6 38477 65.187.137.XXX 53 UDP
>> 2002-10-04 02:50:08.450263 12.32.39.6 51775 65.187.137.XXX 53 UDP
>> 2002-10-04 02:50:24.936689 12.32.40.30 41011 65.187.137.XXX 53 UDP
>> 2002-10-04 02:51:22.853118 204.120.131.6 39383 65.187.137.XXX 53 UDP
>> 2002-10-04 12:16:58.809568 12.32.39.7 4522 65.187.137.XXX 53 UDP
>> 2002-10-04 12:17:08.352278 12.32.40.30 43315 65.187.137.XXX 53 UDP
>> 2002-10-04 12:51:33.062801 204.120.131.5 33374 65.187.137.XXX 53 UDP
>> 2002-10-04 21:38:12.769819 12.32.39.30 52535 65.187.137.XXX 53 UDP
>> 2002-10-04 21:38:28.452537 12.32.40.30 45583 65.187.137.XXX 53 UDP
>> 2002-10-04 22:14:22.379031 204.120.131.7 35975 65.187.137.XXX 53 UDP
>> 2002-10-05 07:24:24.139526 12.32.40.30 47606 65.187.137.XXX 53 UDP
>> 2002-10-05 07:26:52.963525 12.32.39.7 8205 65.187.137.XXX 53 UDP
>> 2002-10-05 07:57:05.909519 204.120.131.30 44014 65.187.137.XXX 53 UDP
>> 2002-10-05 16:58:20.815055 12.32.40.6 44553 65.187.137.XXX 53 UDP
>> 2002-10-05 16:58:22.686455 12.32.39.30 55703 65.187.137.XXX 53 UDP
>> 2002-10-05 17:32:16.604266 204.120.131.30 46555 65.187.137.XXX 53 UDP
>> 2002-10-06 02:28:34.157299 12.32.39.7 11558 65.187.137.XXX 53 UDP
>> 2002-10-06 02:34:55.142108 12.32.40.7 17172 65.187.137.XXX 53 UDP
>> 2002-10-06 03:03:12.204398 204.120.131.30 48979 65.187.137.XXX 53 UDP
>> 2002-10-06 12:04:56.927717 12.32.39.7 13083 65.187.137.XXX 53 UDP
>> 2002-10-06 12:11:04.723204 12.32.40.7 18583 65.187.137.XXX 53 UDP
>> 2002-10-06 12:35:52.492316 204.120.131.30 51434 65.187.137.XXX 53 UDP
>> 2002-10-06 21:32:13.479465 12.32.39.30 60293 65.187.137.XXX 53 UDP
>> 2002-10-06 21:38:40.344172 12.32.40.7 19991 65.187.137.XXX 53 UDP
>> 2002-10-06 22:04:54.688497 204.120.131.7 40301 65.187.137.XXX 53 UDP
>> 2002-10-07 07:01:23.722234 12.32.39.30 61836 65.187.137.XXX 53 UDP
>> 2002-10-07 07:08:16.049976 12.32.40.7 21447 65.187.137.XXX 53 UDP
>> 2002-10-07 08:05:02.813168 204.120.131.30 56529 65.187.137.XXX 53 UDP
>> 2002-10-07 23:16:45.565022 12.32.39.6 3004 65.187.137.XXX 53 UDP
>> 2002-10-07 23:59:04.268647 204.120.131.5 3063 65.187.137.XXX 53 UDP
>> 2002-10-08 00:10:27.077316 12.32.40.6 2924 65.187.137.XXX 53 UDP
>> 2002-10-08 18:14:08.019909 12.32.39.7 6698 65.187.137.XXX 53 UDP
>> 2002-10-08 20:07:35.234820 12.32.40.7 6541 65.187.137.XXX 53 UDP
>> 2002-10-08 20:29:03.879986 204.120.131.30 9208 65.187.137.XXX 53 UDP
>> 2002-10-09 03:43:11.782774 12.32.39.7 8456 65.187.137.XXX 53 UDP
>> 2002-10-09 05:37:26.634325 12.32.40.30 9699 65.187.137.XXX 53 UDP
>> 2002-10-09 05:57:47.902673 204.120.131.30 11926 65.187.137.XXX 53 UDP
>> 2002-10-09 13:10:27.815170 12.32.39.30 10835 65.187.137.XXX 53 UDP
>> 2002-10-09 15:03:11.493538 12.32.40.30 12147 65.187.137.XXX 53 UDP
>> 2002-10-09 15:22:47.417784 204.120.131.7 46449 65.187.137.XXX 53 UDP
>> 2002-10-09 22:19:36.984584 12.32.39.30 12878 65.187.137.XXX 53 UDP
>> 2002-10-10 17:32:01.741964 12.32.39.6 16473 65.187.137.XXX 53 UDP
>> 2002-10-10 19:25:53.152651 12.32.40.30 19384 65.187.137.XXX 53 UDP
>> 2002-10-10 19:44:46.386897 204.120.131.30 24094 65.187.137.XXX 53 UDP
>> 2002-10-11 02:59:21.117170 12.32.39.30 19050 65.187.137.XXX 53 UDP
>> 2002-10-11 04:54:05.922587 12.32.40.6 16353 65.187.137.XXX 53 UDP
>> 2002-10-11 05:10:48.201544 204.120.131.6 62472 65.187.137.XXX 53 UDP
>> 2002-10-11 12:27:36.717484 12.32.39.7 20126 65.187.137.XXX 53 UDP
>> 2002-10-11 14:15:29.517759 12.32.40.30 24505 65.187.137.XXX 53 UDP
>> 2002-10-11 14:34:39.024091 204.120.131.30 30578 65.187.137.XXX 53 UDP
>> 2002-10-11 16:04:44.487376 204.120.131.254 57303 65.187.137.XXX 80 TCP S
>> 2002-10-11 16:04:47.418478 204.120.131.254 57303 65.187.137.XXX 80 TCP S
>> 2002-10-11 16:04:53.429669 204.120.131.254 57303 65.187.137.XXX 80 TCP S
>> 2002-10-11 21:50:23.982705 12.32.39.30 23671 65.187.137.XXX 53 UDP
>> 2002-10-11 23:42:05.592662 12.32.40.7 20773 65.187.137.XXX 53 UDP
>> 2002-10-12 00:02:08.951260 204.120.131.7 52367 65.187.137.XXX 53 UDP
>> 2002-10-12 07:22:54.512127 12.32.39.6 24731 65.187.137.XXX 53 UDP
>> 2002-10-12 09:13:18.583088 12.32.40.30 29463 65.187.137.XXX 53 UDP
>> 2002-10-12 09:32:47.370429 204.120.131.6 2584 65.187.137.XXX 53 UDP
>> 2002-10-12 18:51:32.738393 12.32.40.6 23404 65.187.137.XXX 53 UDP
>> 2002-10-12 19:09:18.972384 204.120.131.30 39996 65.187.137.XXX 53 UDP
>> 2002-10-13 03:16:03.115835 12.32.39.6 28756 65.187.137.XXX 53 UDP
>>
>>
>
>




More information about the list mailing list