Security Incidents mailing list archives
DUP packet replies at tvguide.com
From: bob () CAVU COM (Bob)
Date: Thu, 9 Mar 2000 10:27:00 -0500
Presently tvguide.com (144.198.225.50) is suffering a strange problem in that every ping packet to it gets about 43 duplicate replies, with a few having a TTL one higher then the rest. This problem can be seen from Linux (and probably UNIX); Windows ping does not detect the problem. A traceroute is normal. A ping to the system just before this one in the traceroute list is normal. The duplicate replies also seems to be a problem with other protocols such as TCP/IP (telnet) to port 80 (HTTP). There also is, not surprising, poor response time from their web server. This probably is a misconfiguration rather than an intrusion. Their DNS was changed in the past few days. Perhaps they attempted "round robin" routing to distribute the load among a server farm and misconfigured it to send each reqest to each server. They appear to be an all-Microsoft shop. A LAN analyzer on their network to look at MAC addresses would answer this question quickly. I informed their night shift of this problem. A sample ping follows: % ping tvguide.com PING tvguide.com (144.198.225.50): 56 data bytes 64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=196.7 ms 64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=206.8 ms (DUP!) 64 bytes from 144.198.225.50: icmp_seq=0 ttl=115 time=216.8 ms (DUP!) 64 bytes from 144.198.225.50: icmp_seq=0 ttl=115 time=236.9 ms (DUP!) [another 30 or so DUP replies] 64 bytes from 144.198.225.50: icmp_seq=0 ttl=115 time=537.0 ms (DUP!) 64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=547.0 ms (DUP!) 64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=549.2 ms (DUP!) 64 bytes from 144.198.225.50: icmp_seq=1 ttl=116 time=200.5 ms 64 bytes from 144.198.225.50: icmp_seq=1 ttl=115 time=210.6 ms (DUP!) ... Trying TCP/IP by doing "telnet tvguide.com 80" shows the same problem. (I realize that my input was not valid HTTP but it shows the duplicate replies. My network addresses have been obscured in this email.) telnet tvguide.com 80 Connected to tvguide.com. Escape character is '^]'. /index.html HTTP/1.1 400 Bad Request Server: Microsoft-IIS/4.0 Date: Thu, 09 Mar 2000 06:05:24 GMT Content-Type: text/html Content-Length: 87 <html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>Connection closed by foreign host. A tcpdump during the telnet shows: 01:05:18.308632 us.8275 > 144.198.225.50.telnet: S 3282987830:3282987830(0) win 512 <mss 1460> [tos 0x10] 01:05:21.308632 us.8275 > 144.198.225.50.telnet: S 3282987830:3282987830(0) win 32120 <mss 1460> [tos 0x10] 01:05:27.308632 us.8275 > 144.198.225.50.telnet: S 3282987830:3282987830(0) win 32120 <mss 1460> [tos 0x10] 01:05:37.768632 us.8276 > 144.198.225.50.http: S 3369032143:3369032143(0) win 512 <mss 1460> [tos 0x10] 01:05:37.808632 144.198.225.50.http > us.8276: S 874761942:874761942(0) ack 3 369032144 win 8760 <mss 1460> (DF) 01:05:37.808632 us.8276 > 144.198.225.50.http: . ack 1 win 32120 (DF) [tos 0x10] 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF) 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF) 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF) 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF) 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF) 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF) 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF) 01:05:57.598632 us.8276 > 144.198.225.50.http: P 1:14(13) ack 1 win 32120 (DF) [tos 0x10] 01:05:57.648632 144.198.225.50.http > us.8276: . ack 14 win 8747 (DF) 01:05:58.978632 us.8276 > 144.198.225.50.http: P 14:16(2) ack 1 win 32120 (DF) [tos 0x10] 01:05:59.018632 144.198.225.50.http > us.8276: P 1:225(224) ack 16 win 8745 (DF) 01:05:59.018632 144.198.225.50.http > us.8276: F 225:225(0) ack 16 win 8745 (DF) 01:05:59.018632 us.8276 > 144.198.225.50.http: . ack 226 win 31895 (DF) [tos 0x10] 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF) 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF) 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF) 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF) 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF) 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF) 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF) 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF) 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF) 01:05:59.018632 us.8276 > 144.198.225.50.http: F 16:16(0) ack 226 win 32120 [tos 0x10] 01:05:59.058632 144.198.225.50.http > us.8276: . ack 17 win 8745 (DF) 01:05:59.058632 144.198.225.50.http > us.8276: . ack 17 win 0 Mike O'Shaughnessy, mikeo () cmpsolv com, alerted me to the ping problem and we worked together to analyze it. Bob Toxen bob () cavu com http://www.cavu.com http://www.cavu.com/sunset.html [Sunset Computer] ftp://ftp.mindspring.com/users/cavu/century.c [Y2K CMOS clock fix for Linux] ftp://ftp.mindspring.com/users/cavu/hwclock.c [Y2K hwclock for broken CMOS] Fly-By-Day Consulting, Inc. "Don't go with a fly-by-night outfit!"
Current thread:
- DUP packet replies at tvguide.com Bob (Mar 09)
- <Possible follow-ups>
- Re: DUP packet replies at tvguide.com GALES,SIMON (Non-A-ColSprings,ex1) (Mar 13)
- Re: DUP packet replies at tvguide.com Christopher L. Morrow (Mar 14)
- Re: DUP packet replies at tvguide.com Bob (Mar 15)