Security Incidents mailing list archives

DUP packet replies at tvguide.com

From: bob () CAVU COM (Bob)
Date: Thu, 9 Mar 2000 10:27:00 -0500

Presently tvguide.com (144.198.225.50) is suffering a strange problem in
that every ping packet to it gets about 43 duplicate replies, with a few
having a TTL one higher then the rest.  This problem can be seen from
Linux (and probably UNIX); Windows ping does not detect the problem.

A traceroute is normal.  A ping to the system just before this one in the
traceroute list is normal.

The duplicate replies also seems to be a problem with other protocols such
as TCP/IP (telnet) to port 80 (HTTP).  There also is, not surprising, poor
response time from their web server.

This probably is a misconfiguration rather than an intrusion.  Their
DNS was changed in the past few days.  Perhaps they attempted "round robin"
routing to distribute the load among a server farm and misconfigured it
to send each reqest to each server.

They appear to be an all-Microsoft shop.  A LAN analyzer on their
network to look at MAC addresses would answer this question quickly.  I
informed their night shift of this problem.

A sample ping follows:

% ping tvguide.com
PING tvguide.com (144.198.225.50): 56 data bytes
64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=196.7 ms
64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=206.8 ms (DUP!)
64 bytes from 144.198.225.50: icmp_seq=0 ttl=115 time=216.8 ms (DUP!)
64 bytes from 144.198.225.50: icmp_seq=0 ttl=115 time=236.9 ms (DUP!)
[another 30 or so DUP replies]
64 bytes from 144.198.225.50: icmp_seq=0 ttl=115 time=537.0 ms (DUP!)
64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=547.0 ms (DUP!)
64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=549.2 ms (DUP!)
64 bytes from 144.198.225.50: icmp_seq=1 ttl=116 time=200.5 ms
64 bytes from 144.198.225.50: icmp_seq=1 ttl=115 time=210.6 ms (DUP!)
...

Trying TCP/IP by doing "telnet tvguide.com 80" shows the same problem.
(I realize that my input was not valid HTTP but it shows the duplicate
replies.  My network addresses have been obscured in this email.)

telnet tvguide.com 80
Connected to tvguide.com.
Escape character is '^]'.
/index.html

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/4.0
Date: Thu, 09 Mar 2000 06:05:24 GMT
Content-Type: text/html
Content-Length: 87

<html><head><title>Error</title></head><body>The parameter is incorrect.
</body></html>Connection closed by foreign host.

A tcpdump during the telnet shows:

01:05:18.308632 us.8275 > 144.198.225.50.telnet: S 3282987830:3282987830(0) win 512 <mss 1460> [tos 0x10]
01:05:21.308632 us.8275 > 144.198.225.50.telnet: S 3282987830:3282987830(0) win 32120 <mss 1460> [tos 0x10]
01:05:27.308632 us.8275 > 144.198.225.50.telnet: S 3282987830:3282987830(0) win 32120 <mss 1460> [tos 0x10]
01:05:37.768632 us.8276 > 144.198.225.50.http: S 3369032143:3369032143(0) win 512 <mss 1460> [tos 0x10]
01:05:37.808632 144.198.225.50.http > us.8276: S 874761942:874761942(0) ack 3 369032144 win 8760 <mss 1460> (DF)
01:05:37.808632 us.8276 > 144.198.225.50.http: . ack 1 win 32120 (DF) [tos 0x10]
01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
01:05:57.598632 us.8276 > 144.198.225.50.http: P 1:14(13) ack 1 win 32120 (DF) [tos 0x10]
01:05:57.648632 144.198.225.50.http > us.8276: . ack 14 win 8747 (DF)
01:05:58.978632 us.8276 > 144.198.225.50.http: P 14:16(2) ack 1 win 32120 (DF) [tos 0x10]
01:05:59.018632 144.198.225.50.http > us.8276: P 1:225(224) ack 16 win 8745 (DF)
01:05:59.018632 144.198.225.50.http > us.8276: F 225:225(0) ack 16 win 8745 (DF)
01:05:59.018632 us.8276 > 144.198.225.50.http: . ack 226 win 31895 (DF) [tos 0x10]
01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
01:05:59.018632 us.8276 > 144.198.225.50.http: F 16:16(0) ack 226 win 32120 [tos 0x10]
01:05:59.058632 144.198.225.50.http > us.8276: . ack 17 win 8745 (DF)
01:05:59.058632 144.198.225.50.http > us.8276: . ack 17 win 0

Mike O'Shaughnessy, mikeo () cmpsolv com, alerted me to the ping problem
and we worked together to analyze it.

Bob Toxen
bob () cavu com
http://www.cavu.com
http://www.cavu.com/sunset.html                 [Sunset Computer]
ftp://ftp.mindspring.com/users/cavu/century.c   [Y2K CMOS clock fix for Linux]
ftp://ftp.mindspring.com/users/cavu/hwclock.c   [Y2K hwclock for broken CMOS]
Fly-By-Day Consulting, Inc.       "Don't go with a fly-by-night outfit!"
Current thread:

DUP packet replies at tvguide.com Bob (Mar 09)
- <Possible follow-ups>
- Re: DUP packet replies at tvguide.com GALES,SIMON (Non-A-ColSprings,ex1) (Mar 13)
  - Re: DUP packet replies at tvguide.com Christopher L. Morrow (Mar 14)
- Re: DUP packet replies at tvguide.com Bob (Mar 15)