[linux-security] Re: Port 7 scan

[Richard Day <rich Resonate com>]

Juha,

The "scans" you are seeing are in response to a DNS lookup being initiated
from your site for ad.doubleclick.net. More then likely it is a web
browser some were in your site, or more then likely many that initiate the
lookup. The content that the browser is requesting is available from many
sites of DoubleClicks at many different locations on the Internet. The
connect back to your DNS server is to find which of these sites is best
for you in terms of latency. This information, along with the current load
on the servers at each site is used to determine which IP to return to you
so that you go to the fastest site. The "scans" will not happen with out a
request from your side. The information that is received is cached for a
period and reused to reduce the total amount of connections. In most
situations the group of connections back to your machine will be utilized
by many out bound requests from your end.

Hope this clears up your questions, drop me an email if not.

rich

	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	Richard Day   Technical Support Manager

	Resonate, Inc.
	385 Moffett Park Drive
	Suite 205
	Sunnyvale, CA 94089

	Main         408 548.5500
	Direct 	     408 548.5648
	Fax 	     408 548.5679
	Support      408 548.5600
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Thu, 10 Jun 1999, Juha Virtanen wrote:

> From: EW1 Coral J. Cook <ccook nosc mil> 9.6.1999 21:10:
> 
> 
> >Over the last several day, we've been getting pretty regular scans from a
> >non-existant host on our port 7. Any idea what they are looking for/what are
> >some of vulnerabilites with echo?
> 
> 
> I've seen the same and I issued incident tickets on major US service
> providers.
> 
> I got the following information quoted below:
> 
> > From: Ng, Alex [SMTP:ang doubleclick net]
> > Sent: Monday, June 07, 1999 11:05 AM
> > Subject: RE: Probable attack from your domain
> >
> > Dear Sir,
> >
> >  We are currently using the product GlobalDispatch from Resonate Inc.
> > for our Wide Area
> > Data Distribution.  Please see letter below for a detail explaination on
> > this product.  Thanks.
> >
> > Sincerely,
> >
> > Alex Ng
> >
> >
> > --------------------
> >
> > Hello Sir,
> >
> > Alex at Doubleclick asked us to work with you regarding this ticket.
> >
> > We have reason to believe that the reports you've received regarding
> > these three machines being compromised is a misunderstanding as a result
> > of our enterprise traffic management software: Global Dispatch.  Global
> > Dispatch is a WAN-based scheduler that makes it easy to place content
> > close to geographically dispersed users and and intelligently directs
> > requests
> > to the best-suited Point of Presence (POP).
> >
> > In the course of determining the best suited POP, Global Dispatch preforms
> > a
> > latency measurement.  This latency measurement is done by making a
> > connection
> > to the client DNS server on TCP port 7 and then dropping the connection.
> > After
> > the latency measurement has been done, the latency values are cached, and
> > the
> > IP of the most responsive POP is returned to the requesting machine.
> >
> > I hope this help clear up the confusion. We are looking into other ways to
> > preform this latency mesurment, and hope we have not caused you any
> > inconvenience.
> >
> > --
> > Resonate Technical Support <support resonate com>
> >
> >
> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >  Richard Day Call Center Manager
> >
> >  Resonate, Inc.
> >  465 Fairchild Drive
> >  Suite 115
> >  Mountain View, CA 94040
> >
> >  Main Phone   650 967.6500
> >  Fax       650 967.6561
> >  Support Line 650 967.4800
> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> 
> 
> Regards,
> Juha
> 
> 
>