eBay

berserkerplanet · ‎01-02-2019

Beginning 12/30/2018, I noted a relative flood of blocked, unsolicited inbounds from 72.21.91.97 which resolves to cs71.wac.edgecastcdn.net which is an alias for ebay01.i.lithium.com alan@ebay

I don't know much about how CDN servers handle traffic and TCP connections. This may have to do with how "close connection" is being handled
All logged connections to 72.21.91.97 map only to Lithium content.
There have been no changes in my internet connection, no changes in my network setup, and no changes to my Firefox 31 browser (no automatic updates occur for the OS or anything period on this machine).
Cookies and cache were cleared - no change.
Exactly the same thing occurs in different Firefox 52 browser
Occurs for no other websites or IPs

Out of 69000+ connections to 72.21.91.97 in the last 365 days, only the 4 unsolicited inbound echos mentioned above occurred prior to 12/30/18.

Out of the 3960 connections to 72.21.91.97 from 12/30/18 to now, 517 legitimate outbounds and 3443 unsolicited inbounds on those same ports were logged. (and that ratio is low due to inclusion of outbounds on the 12/30 before it really started)

On 12/30 it began as a small group of 5 from 1:39am to 1:45am (that had a 1 to 1 port correspondence to 5 legitimate outbound connections initiated at 1:29am), and then at 5:27am ramped up to 10 blocked inbound connections for every legitimate outbound connection that occurred 1-5 minutes after the original outbound connection.

In short, every time I reload my community forum profile page, cs71.wac.edgecastcdn.net hammers my firewall with 40 +/- 20 unsolicited inbounds a few minutes after the page reload. Also occurs for other community forum pages, but have no spent a lot of time characterizing that.

Additionally, I noted a slew of 404 errors when testing and gathering data just now for /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map
which are coming from the same CDN server.

That profile page reload generated 53 nearly consecutive attempts to load that script which resulted in 404 errors. Those failures do not produce any later unsolicited inbounds from the server.

Something has changed and is wrong with the Lithium CDN server setup.

HTTPFox capture for the community profile page reload where all the 404 errors occurred in the browser (Long URL lines were wrapped to work in the codebox without forcing ridiculous page width)

Started           Time       Sent      Rcvd     Method   Status
 Type
  URL
------------------------------------------------------------------
00:00:04.914      0.214      1726      153      GET      302
 Redirect to: https://community.ebay.com/t5/user/viewprofilepage/user-id/4162604?nobounce
  https://community.ebay.com/t5/user/viewprofilepage/user-id/4162604

00:00:05.134      0.125      1735      130      GET      302
 Redirect to: https://community.ebay.com/plugins/common/feature/oauth2sso_v2/sso_login_redirect?prompt
 =none&referer=https%3A%2F%2Fcommunity.ebay.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4162604
  https://community.ebay.com/t5/user/viewprofilepage/user-id/4162604?nobounce

00:00:05.273      0.149      1844      246      GET      302
 Redirect to: https://auth.ebay.com/oauth2/authorize?client_id=LithiumT-7567-42e3-a620-0b7cf8ee50ee&
 redirect_uri=Lithium_Technol-LithiumT-7567-4-khvro&response_type=code&state=https%3A%2F%2Fcommunity.
 ebay.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4162604&prompt=none&referer=https%3A%2F%2F
 community.ebay.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4162604
  https://community.ebay.com/plugins/common/feature/oauth2sso_v2/sso_login_redirect?prompt=none&
  referer=https%3A%2F%2Fcommunity.ebay.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4162604

00:00:05.428      0.603      1730      209      GET      (Aborted)
 text/plain (NS_BINDING_ABORTED)
  https://auth.ebay.com/oauth2/authorize?client_id=LithiumT-7567-42e3-a620-0b7cf8ee50ee&redirect_uri
  =Lithium_Technol-LithiumT-7567-4-khvro&response_type=code&state=https%3A%2F%2Fcommunity.ebay.com
  %2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4162604&prompt=none&referer=https%3A%2F%2Fcommunity.
  ebay.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4162604

00:00:05.996      2.798      1917      181      GET      302
 Redirect to: https://community.ebay.com/t5/user/viewprofilepage/user-id/4162604
  https://community.ebay.com/auth/oauth2callback?state=https%3A%2F%2Fcommunity.ebay.com%2Ft5%2Fuser
  %2Fviewprofilepage%2Fuser-id%2F4162604&code=v%5E1.1%23i%5E1%23I%5E3%23p%5E3%23f%5E0%23r%5E1%23t%5
  EUl41XzExOkY2MzI1RjE2NzlFMjVDNDBEOUEwNkYzMUM5MTMzQ0Y3XzFfMSNFXjI2MA%3D%3D&expires_in=9999

00:00:08.834      0.908      1700      16495    GET      200
 text/html
  https://community.ebay.com/t5/user/viewprofilepage/user-id/4162604

00:00:09.687      0.891      337      (283770)  GET      (Cache)
 text/css
  /skins/3408826/427255036367f1e0401a060a49ea6a08/ebayresponsive.css

00:00:09.692      1.456      324      (4213)    GET      (Cache)
 text/javascript
  /t5/scripts/008CF943B425F171E65313FF4BF21034/lia-scripts-head-min.js

00:00:09.696      1.455      324      (1407)    GET      (Cache)
 text/javascript
  /t5/scripts/4C4EAA2E897F1A4CACB67A898BA9417A/lia-scripts-head-min.js

00:00:09.701      1.474      261      (14105)   GET      (Cache)
 text/css
  https://ir.ebaystatic.com/rs/v/vbfgz414rqz5lnmzcfypj25lbyd.css?proc=DU:N

00:00:09.706      1.522      249      (0)       GET      (Cache)
 application/javascript
  https://secureinclude.ebaystatic.com/v4js/z/yw/n5h3wmxgey0ypgi1xpfwz5zf2.js

00:00:11.176      0.460      403      1932      GET      200
 image/png
  /skins/images/F33C9A3D3892D1A00C0658294D43A58E/responsive_peak/
  images/button_lithium_logo.png

00:00:11.179      0.185      329      (60759)   GET      (Cache)
 text/javascript
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/lia-scripts-
  angularjs-min.js

00:00:11.183      0.301      336      (0)       GET      (Cache)
 text/javascript
  /t5/scripts/8085D3C7961562D718FF7BD84F94D55F/lia-scripts-
  angularjsModules-min.js

00:00:11.186      0.392      326      (93047)   GET      (Cache)
 text/javascript
  /t5/scripts/F91AC132743DFE410B40C82F8FBA3F3B/lia-scripts-common-min.js

00:00:11.190      0.401      324      (11523)   GET      (Cache)
 text/javascript
  /t5/scripts/4E0957D674632E878F08BD3A9E7D2BE2/lia-scripts-body-min.js

00:00:11.637      1.274      495      3318      GET      200
 image/png
  /t5/image/serverpage/avatar-name/07_avatar_02/avatar-theme/candy/
  avatar-collection/Ebay/avatar-display-size/message/version/2?xdesc=1.0

00:00:11.658      1.468      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.760      1.725      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.763      1.816      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.792      1.271      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.795      1.832      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.807      1.608      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.819      2.042      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.822      2.798      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.829      3.198      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.832      3.414      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.835      3.596      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.844      3.791      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.847      4.063      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.851      4.786      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.854      4.986      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.880      5.136      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.886      5.317      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.889      5.954      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.896      6.221      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.899      6.513      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.909      6.733      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.912      7.166      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.921      7.455      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.927      7.688      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.930      7.936      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.936      8.295      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.939      8.610      446      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:11.955      2.456      2265      238      GET      200
 application/json
  https://community.ebay.com/ebay01/api/2.0/search?q=SELECT+id,+title,+description,+thumb_href,
  +original_href,+owner.id,+owner.login,+owner.rank.name,+owner.rank.icon_left,+owner.rank.icon_right,
  +owner.rank.bold,+owner.rank.color,+owner.avatar.message,+upload_time,+upload_time_friendly,+owner.
  view_href,+height,+album.view_href,+album.title,+visibility+FROM+images+WHERE+owner.id+%3D+%224162604
  %22+ORDER+BY+upload_time+DESC+LIMIT+100+OFFSET+0

00:00:20.746      0.460      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.752      0.834      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.757      0.734      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.764      0.463      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.767      1.096      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.770      1.894      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.774      1.893      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.777      2.101      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.784      2.376      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.788      2.604      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.792      3.171      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.798      3.338      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.802      3.533      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.817      3.729      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.823      4.049      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.826      4.728      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.837      4.930      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.840      5.196      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.842      5.608      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.845      5.987      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.867      6.193      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.870      6.532      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.873      6.669      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.876      6.970      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.879      7.169      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.883      7.502      570      231       GET      404
 text/html
  /t5/scripts/95E6648155A17767FE04B60E58E4D432/angular.min.js.map

00:00:20.890      1.794      1856      (157)    GET      (Aborted)
 image/gif (NS_BINDING_ABORTED)
  https://community.ebay.com/t5/image/serverpage/image-id/538874i1847B5A3F228FF35/image-size/thumb/
  crop-image/true?v=1.0&px=150

00:00:20.896      1.804      1856      (157)    GET      (Aborted)
 image/gif (NS_BINDING_ABORTED)
  https://community.ebay.com/t5/image/serverpage/image-id/538870i58BA128FA4CDBF69/image-size/thumb/
  crop-image/true?v=1.0&px=150

00:00:20.900      1.980      1856      (157)    GET      (Aborted)
 image/jpeg (NS_BINDING_ABORTED)
  https://community.ebay.com/t5/image/serverpage/image-id/538353iE4ED49CD3F87F826/image-size/thumb/
  crop-image/true?v=1.0&px=150

00:00:20.905      1.779      1856      (157)    GET      (Aborted)
 image/jpeg (NS_BINDING_ABORTED)
  https://community.ebay.com/t5/image/serverpage/image-id/538352i0729F311E62213FC/image-size/thumb/
  crop-image/true?v=1.0&px=150

00:00:20.909      1.953      1856      (157)    GET      (Aborted)
 image/gif (NS_BINDING_ABORTED)
  https://community.ebay.com/t5/image/serverpage/image-id/538085iDBCDD291A5B57641/image-size/thumb/
  crop-image/true?v=1.0&px=150

00:00:20.913      1.772      1856      (157)    GET      (Aborted)
 image/gif (NS_BINDING_ABORTED)
  https://community.ebay.com/t5/image/serverpage/image-id/538048iC4F70B7927C28517/image-size/thumb/
  crop-image/true?v=1.0&px=150

00:00:20.917      4.233      1856      (157)    GET      (Aborted)
 image/gif (NS_BINDING_ABORTED)
  https://community.ebay.com/t5/image/serverpage/image-id/537530i0565BD4E6E35987A/image-size/thumb/
  crop-image/true?v=1.0&px=150

00:00:20.921      4.228      1856      (157)    GET      (Aborted)
 image/gif (NS_BINDING_ABORTED)
  https://community.ebay.com/t5/image/serverpage/image-id/537084i64C767F08EDDA71D/image-size/thumb/
  crop-image/true?v=1.0&px=150

00:00:20.925      4.225      1856      (157)    GET      (Aborted)
 image/gif (NS_BINDING_ABORTED)
  https://community.ebay.com/t5/image/serverpage/image-id/535912i3DB3F4F39C2E334A/image-size/thumb/
  crop-image/true?v=1.0&px=150

Firewall log entries for IP 72.21.91.97 since major start of issue on 12/31 attached as a file (because 60,000 char forum post limit). All the entries are unsolicited inbounds to already closed ports, are blocked by the router, and display as red flagged inbounds as seen in the following:

doug@ebay · ‎01-02-2019

Thanks @berserkerplanet, I've asked Lithium to look into this.

@berserkerplanet wrote:

Beginning 12/30/2018, I noted a relative flood of blocked, unsolicited inbounds from 72.21.91.97 which resolves to cs71.wac.edgecastcdn.net which is an alias for ebay01.i.lithium.com alan@ebay

I don't know much about how CDN servers handle traffic and TCP connections. This may have to do with how "close connection" is being handled

All logged connections to 72.21.91.97 map only to Lithium content.

There have been no changes in my internet connection, no changes in my network setup, and no changes to my Firefox 31 browser (no automatic updates occur for the OS or anything period on this machine).

Cookies and cache were cleared - no change.

Exactly the same thing occurs in different Firefox 52 browser

Occurs for no other websites or IPs

View Best Answer in original post

doug@ebay · ‎01-02-2019

Thanks @berserkerplanet, I've asked Lithium to look into this.

@berserkerplanet wrote:

Beginning 12/30/2018, I noted a relative flood of blocked, unsolicited inbounds from 72.21.91.97 which resolves to cs71.wac.edgecastcdn.net which is an alias for ebay01.i.lithium.com alan@ebay

I don't know much about how CDN servers handle traffic and TCP connections. This may have to do with how "close connection" is being handled

All logged connections to 72.21.91.97 map only to Lithium content.

There have been no changes in my internet connection, no changes in my network setup, and no changes to my Firefox 31 browser (no automatic updates occur for the OS or anything period on this machine).

Cookies and cache were cleared - no change.

Exactly the same thing occurs in different Firefox 52 browser

Occurs for no other websites or IPs

berserkerplanet · ‎01-02-2019

Thanks Doug.

It's not fatal but is incredibly annoying as I watch 50-100 red blocked entries stream by out of the corner of my eye constantly.

I could "fix" it by not displaying any connections for that IP (I can still log them though), and that might be the answer if Lithium doesn't consider it an issue (I think it is indicative of a bigger server mis-configuration problem), but I tend to shy away from hiding things like that as it's a bad habit to get into (just stick the smoke alarm in the drawer so it won't go off 🙂

doug@ebay · ‎01-08-2019

Hi @berserkerplanet, Lithium doesn't seem to consider it an issue:

"The traffic from the CDN is expected. A large number of 404 errors can cause page loads to slow but as you can see here, https://error404.atomseo.com/SeoCheck/Report/community.ebay.com/2019-01-04/free?from=, eBay has a very low 404 count and an A rating."

I do want to look more into the 404 errors, and eBay IT has asked us to look into a number of 302 redirects.

@berserkerplanet wrote:
Thanks Doug.

It's not fatal but is incredibly annoying as I watch 50-100 red blocked entries stream by out of the corner of my eye constantly.

I could "fix" it by not displaying any connections for that IP (I can still log them though), and that might be the answer if Lithium doesn't consider it an issue (I think it is indicative of a bigger server mis-configuration problem), but I tend to shy away from hiding things like that as it's a bad habit to get into (just stick the smoke alarm in the drawer so it won't go off 🙂

berserkerplanet · ‎01-08-2019

Huh? As I said, I know little about the details of server management or traffic, but that sort of behavior verges on looking like a low level DOS attack 🙂

And curious that it suddenly became an issue on around the 12/30 when it was not prior (but I only checked back though one year of logs)

Haven't noted any more 404 errors, but I haven't been looking for them. I would only see those if I actively turn HTTPfox on in the browsers or run a packet sniffer outside the browsers which I had no reason to do.

I do however have logs for the inbound and outbound TCP connections AND .....

Haven't SEEN A SINGLE inbound from 72.21.91.97 since the browser made 5 outbound connections to the IP at 11:40am on 1/4/19, which were followed by 50 echoed inbounds 3-4 minutes later. Last inbound was 1/4/10 at 11:44am.

Next outbounds were a half hour later at 12:16pm with no unsolicited inbounds in the 655 outbounds in the 4 days since then.

Sure looks like somebody flipped a switch somewhere and undid whatever it was that they don't consider to be an issue that they did on 12/30.

Anyway, for the moment appears to be a non-issue, and if it begins again, I'll just stop displaying those specific inbounds (see no evil), and depending on the volume, may stop logging them also.

Thanks for the followup Doug.

eBay

Community Forum CDN Server Issue ebay01.i.lithium.com-->cs71.wac.edgecastcdn.net

Community Forum CDN Server Issue ebay01.i.lithium.com-->cs71.wac.edgecastcdn.net

Community Forum CDN Server Issue ebay01.i.lithium.com-->cs71.wac.edgecastcdn.net

Community Forum CDN Server Issue ebay01.i.lithium.com-->cs71.wac.edgecastcdn.net

Community Forum CDN Server Issue ebay01.i.lithium.com-->cs71.wac.edgecastcdn.net

Community Forum CDN Server Issue ebay01.i.lithium.com-->cs71.wac.edgecastcdn.net

Featured Posts

Welcome to the Community Platform Updates board