'IMesh Scans from 209.225.26.19 and 216.35.208.153'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    IMesh Scans from 209.225.26.19 and 216.35.208.153
From:       Crist Clark <crist.clark () GLOBALSTAR ! COM>
Date:       2001-02-26 22:20:48
[Download RAW message or body]

I was analysing some of the more strange traffic patterns from last weeks
logs when I came across these,

  23Feb2001  8:43:39 accept >qfe3  tcp 192.168.AAA.BBB:1436 -> 216.35.208.153:5000 44 \
(DDD.EEE.FFF.GGG:53596 -> 216.35.208.153:5000)  23Feb2001  8:43:50   drop >hme0  tcp \
216.35.208.153:51851 -> DDD.EEE.FFF.GGG:4456 44  23Feb2001  8:43:56   drop >hme0  tcp \
216.35.208.153:51869 -> DDD.EEE.FFF.GGG:4329 44  23Feb2001  8:44:02   drop >hme0  tcp \
216.35.208.153:51882 -> DDD.EEE.FFF.GGG:4500 44  23Feb2001  8:44:08   drop >hme0  tcp \
216.35.208.153:51896 -> DDD.EEE.FFF.GGG:5000 44  23Feb2001  8:44:14   drop >hme0  tcp \
216.35.208.153:51916 -> DDD.EEE.FFF.GGG:5500 44  23Feb2001  8:44:20   drop >hme0  tcp \
216.35.208.153:51932 -> DDD.EEE.FFF.GGG:X11 44  23Feb2001  8:44:25   drop >hme0  tcp \
216.35.208.153:51948 -> DDD.EEE.FFF.GGG:6500 44  23Feb2001  8:44:31   drop >hme0  tcp \
216.35.208.153:51962 -> DDD.EEE.FFF.GGG:7000 44  23Feb2001  8:44:36   drop >hme0  tcp \
216.35.208.153:51972 -> DDD.EEE.FFF.GGG:7500 44  23Feb2001  8:44:42   drop >hme0  tcp \
216.35.208.153:51981 -> DDD.EEE.FFF.GGG:http 44

  23Feb2001 13:31:09 accept >qfe3  tcp 192.168.AAA.CCC:1459 -> 209.225.26.19:5000 44 \
(DDD.EEE.FFF.GGG:20653 -> 209.225.26.19:5000)  23Feb2001 13:31:13   drop >hme0  tcp \
209.225.26.19:60461 -> DDD.EEE.FFF.GGG:4923 44  23Feb2001 13:31:19   drop >hme0  tcp \
209.225.26.19:60471 -> DDD.EEE.FFF.GGG:4329 44  23Feb2001 13:31:25   drop >hme0  tcp \
209.225.26.19:60482 -> DDD.EEE.FFF.GGG:4500 44  23Feb2001 13:31:31   drop >hme0  tcp \
209.225.26.19:60489 -> DDD.EEE.FFF.GGG:5000 44  23Feb2001 13:31:38   drop >hme0  tcp \
209.225.26.19:60499 -> DDD.EEE.FFF.GGG:5500 44  23Feb2001 13:31:44   drop >hme0  tcp \
209.225.26.19:60512 -> DDD.EEE.FFF.GGG:X11 44  23Feb2001 13:31:50   drop >hme0  tcp \
209.225.26.19:60523 -> DDD.EEE.FFF.GGG:6500 44  23Feb2001 13:31:57   drop >hme0  tcp \
209.225.26.19:60532 -> DDD.EEE.FFF.GGG:7000 44  23Feb2001 13:32:03   drop >hme0  tcp \
209.225.26.19:60542 -> DDD.EEE.FFF.GGG:7500 44  23Feb2001 13:32:09   drop >hme0  tcp \
209.225.26.19:60555 -> DDD.EEE.FFF.GGG:http 44

What we are seeing is an internal user connecting to port 5000 of the
external machine. The internal user's RFC1918 IP address is NATed. The
external IMesh "server" then replies with a scan of the NATed source
address (at least it looks like the internal client is not passing its
IP address through at the application layer).

I have managed to associate both of these with IMesh.com filesharing.
However, I have been unable to find information about how their protocol
actually works and whether these scans are "normal." Is the remote peer
trying to find out if we are sharing? Why do the two scans differ slightly,
but also look very similar?

Any pointers to more info would be appreciated. Thanks.
--
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic