Firewall Wizards mailing list archives
TCP port 6699 (follow up) & non standard traffic on standard ports
From: mabrown () securepipe com
Date: Mon, 15 Nov 1999 10:28:29 -0600 (CST)
Good morning all, point 1 ------------- I received the following from an operation called Napster in response to one of our standard incident reports, involving inbound packets on port 6699. Their website appears to be available at http://www.napster.com/, and the product description from the email seems to fit the description afforded on their website. This may be of interest to some of you folks who were asking about this port a few weeks ago. point 2 ------------- As a side note, I have noticed that we have touched on the topic of non HTTP protocols (e.g., SOAP) being engineered to be passed over HTTP, just the way that these Napster folks appear to be (ab)using the ports for FTP & telnet. I can only imagine that, in an effort to make an end-run around firewalls and proxies, many software developers will begin trying to tunnel all kinds of traffic over standard ports. It will doubtless be much more difficult to tunnel non-standard traffic over proxies than over masquerading firewalls. Any thoughts on this? -Martin
From jpr5 () darkridge com (address does not seem to be recognized)
----------------------------------------------------------------- This is a response to a recent communication we received from you regarding a potential attack on your network. We appreciate your consideration in bringing this matter to our attention. The connections you have recorded on your network and relayed to us are neither probes nor attacks on your network. Instead, the activity you have observed is part of an automatic configuration of the Napster mp3 client. To explain briefly, when a user installs Napster on their system and logs in for the first time, they are prompted to automatically configure their file transfer settings. Since file transfers are done client to client, this involves finding an acceptable port on the client from which it can listen for incoming connections, should another client wish to download a file from it. As part of the automatic configuration, the Napster server connects back to the client over a small range of port numbers in an attempt to negotiate an appropriate port. A few of these ports are non-standard, such as '6699'. Others are well-known, such as telnet (23) and ftp (21). This is done so as to allow users to bypass some firewalls, which may allow well-known traffic to pass through. Since this cannot be determined passively, the Napster server must actively try to seek a working port. We apologize for any alarm or inconvenience this activity has caused, but hope that the above explanation suffices to put you at ease, insofar as the reported activity is in no way related to any attempt to penetrate into or discern information about your network. Please do not hesitate to contact me directly in the future, should you have any other security-related concerns. Thank you for your time. Jordan Ritter Security Director, Network Operations Napster, Inc. (650 373 3800 x204) All the music you want, when you want it. --------------------------
Current thread:
- TCP port 6699 (follow up) & non standard traffic on standard ports mabrown (Nov 15)
- Re: TCP port 6699 (follow up) & non standard traffic on standard ports Dorian Moore (Nov 17)