Addressing Vulnerabilities - Presence of a Load-Balancing Device Detected

As someone stated earlier - the IP ID "range" variance is indicative of LB - for example when doing something like:

 

 

$ sudo hping3 wwww.amazon.com -S -p 80

 

HPING wwww.amazon.com (en0 72.21.210.29): S set, 40 headers + 0 data bytes

 

len=46 ip=72.21.210.29 ttl=243 id=24092 sport=80 flags=SA seq=0 win=8190 rtt=22.2 ms

 

len=46 ip=72.21.210.29 ttl=241 id=14744 sport=80 flags=SA seq=1 win=8190 rtt=22.1 ms

 

len=46 ip=72.21.210.29 ttl=242 id=63761 sport=80 flags=SA seq=2 win=8190 rtt=22.0 ms

 

len=46 ip=72.21.210.29 ttl=243 id=58747 sport=80 flags=SA seq=3 win=8190 rtt=22.0 ms

 

len=46 ip=72.21.210.29 ttl=243 id=54002 sport=80 flags=SA seq=4 win=8190 rtt=22.1 ms

 

len=46 ip=72.21.210.29 ttl=243 id=30840 sport=80 flags=SA seq=5 win=8190 rtt=22.2 ms

 

len=46 ip=72.21.210.29 ttl=242 id=7919 sport=80 flags=SA seq=6 win=8190 rtt=22.1 ms

 

len=46 ip=72.21.210.29 ttl=241 id=9077 sport=80 flags=SA seq=7 win=8190 rtt=22.1 ms

 

len=46 ip=72.21.210.29 ttl=242 id=5873 sport=80 flags=SA seq=8 win=8190 rtt=22.1 ms

 

 

My question - follow-up to the original one - is different: when going "after" the real IP of any server being load balanced, the pen-test does not reveal any problems, whereas when going "after" the VIP a few alerts are being raised. How is that possible, and is the LB possibly sensitive to attacks to the system, itself, via the services that it offers (vs. servers behind it being at risk)?