[31650] in North American Network Operators' Group
Re: QAZ probes from webtv?
daemon@ATHENA.MIT.EDU (John Fraizer)
Tue Oct 3 21:54:16 2000
Date: Tue, 3 Oct 2000 21:52:27 -0400 (EDT)
From: John Fraizer <nanog@EnterZone.Net>
To: Sami Juvonen <samij@corp.webtv.net>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
In-Reply-To: <37C3476607141849A65191FB44C1D5731138FF@svc-msg-03.northamerica.corp.microsoft.com>
Message-ID: <Pine.LNX.4.21.0010032151150.23049-100000@Overkill.EnterZone.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 3 Oct 2000, Sami Juvonen wrote:
>
> Dan Hollis <goemon@sasami.anime.net> wrote on Sun, 1 Oct 2000 20:08:03 -0700
> (PDT):
> > Anyone else seeing webtv probing your customers for QAZ?
> > The following webtv hosts seem to be probing our dialup customers port
> > tcp/7597:
>
> WebTV Networks is not probing for QAZ.
>
> After reviewing the log files Dan Hollis provided, it appears that
> these packets are normal TCP communication between a WebTV terminal
> and the WebTV service. The client terminal initiates a connection,
> picking a random source port. The service is trying to establish a
> connection with the client using that port. This behavior is not
> limited to WebTV. It appears that the packet from the service was
> caught in Dan's perimeter router ACL.
>
> Please do not hesitate to contact us if you have any concerns about
> WebTV and security or network interoperability issues. Please see
> http://www.webtv.net/contact/contact.html for contact information.
>
>
> Thank you,
>
> Sami Juvonen, Systems Engineer,
> WebTV Networks, Operations Engineering
>
So, Dan's ACL was trapping any TCP traffic destined to 7597 and not just
TCP SYN?
---
John Fraizer
EnterZone, Inc
