Can't explain your traffic, but your description doesn't sit quite right. Did you really see a Syn to internal port 80 from these folks? Or did you just see traffic with port 80 as a destination? A client can use port 80 to initiate a connection. I'm betting that's all you saw. Logs? Eyeblaster is an ad server... http://www.eyeblaster.com/WebSite/default.htm I guess bs (in this case) stands for Burst Server. From google: http://www.ufoot.org/misc/plague/ads.php3 http://ssmedia.com/Utilities/hosts/ Doesn't sound like something to get worked up over. Why not block them and save your users a few ads, heh heh. -David > -----Original Message----- > From: Jeremy Junginger [mailto:jjat_private] > Sent: Thursday, May 29, 2003 5:45 PM > To: incidentsat_private > Subject: Weird Traffic from www.eyeblaster-bs.com > > > Good Afternoon, > > I am seeing some strange traffic from www.eyeblaster-bs.com on both > network and host based IDS. More specifically, I'm seeing TCP port 80 > (http) traffic from multiple internal clients to > http://www.eyeblaster-bs.com/BurstingPipe and > http://www.eyeblastrer-bs.com/BurstingPipe.asp?param=% . So far, it > looks like normal surfing....well...almost. The strange > thing is that I > have seen traffic that appears to be sourced from this server > to clients > (dest port 80) on the Internal Network (which should be relatively > protected as they use Port Address Translation, not to > mention that port > 80 is not allowed to those client machines). I've seen this URL > mentioned on several usage reports, but have not seen any explanations > about what it is. Let me know what you think. > > Here are some of the other networks that have seen traffic TO this > server: > http://www.olc.edu/~bbump/usage/ns1/7th/url_200211.html > http://network.ci.seekonk.ma.us/WebUsage/Library/url_200212.html > http://www.bsafehome.com/historyreport.asp > > > -Jeremy > > These are not the packets you're looking for...You can go about your > business.....Move along.... > :-) > > -------------------------------------------------------------- > -------------- > -------------------------------------------------------------- > -------------- > > ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 30 2003 - 15:25:06 PDT