Security Incidents mailing list archives
Re: Strange traffic
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Mon, 16 Oct 2000 11:29:47 +0200
On Sat, 14 Oct 2000, Michal Zalewski wrote: [ This post reflects my presonal thougts and beliefs, which don't have ] [ to be true. Standard disclaimer applies. Aleph - I wonder what should ] [ I do with this kind of news - feel free to bounce it or forward it ] [ somewhere else... ]
During the investigation, we have noticed really interesting activities from several other systems as well - for example, some not really nice examples of client invigilation done by the biggest web companies. But for now, we are not going to start the hype, and would like what readers of this list think about the activity we have seen.
Ok, I decided to publish one of the most interesting things - the way Hotmail (currently owned by Microsoft, right?) and other huge web companies are dealing with the customers. Take a look on it - this is a log from several different networks of it's night activity: Thu Oct 12 14:12:47 2000 : (38) [ttl] Generic TTL scan candidate Thu Oct 12 14:12:47 2000 : + TCP 0x14 216.33.148.250:80 -> 193.XX.XX.34:63765 ttl=1 off=0x4000 id=0x2d05 tos=0x0 len=40 phys=46 Sun Oct 15 21:45:18 2000 : (38) [ttl] Generic TTL scan candidate Sun Oct 15 21:45:18 2000 : + TCP 0x14 216.111.248.10:80 -> 157.158.181.37:1325 ttl=1 off=0x0 id=0xff20 tos=0x0 len=40 phys=40 [...etc, etc, numerous logs from several networks...] One of these box is, in fact www.law4.hotmail.com. Such activity has been noticed both from Hotmail and ADFORCE Corp. servers. I believe it could be explained with "load balancing implementation" - we've seen such explainations in another case - but I am in serious doubt it's true. If you really have to, you can safely measure distance using normal packets. The same applies to RTT/packet loss, which is - in fact - much more important for intelligent load balancing (where numerous locations are available). IMHO, this is an attempt to trace path to system using open TCP connection - so it will bypass statefull firewalls and so on, showing full path in most cases. I don't think this information is collected for amusement or for "better customer service" - well, in fact, using hackish methods to collect information about my network infrastructure without my knowledge are at least not ethical - especially in case of such big web service as Hotmail or AdForce. How we have noticed it? Our RST+ACK project, described previously, was not related to RST+ACK TCP packets only - we started regular network monitoring looking for all strange activity - packets to not existing hosts, packets with unusual settings etc. All using dedicated software... Most of them can be explained with scan attempts from script kiddies using traditional tools, but some of them - not really. I will try to keep posting the most interesting results of RST+ACK case study, as we already lost all hope for explainations :P Another time, I'd like to remind that full documentation can be found at http://lcamtuf.hack.pl/wtf/ (polish only :/) - it's 240 kB of logs, hypotestis and analysis, which couldn't be done without extensive support from numerous people - http://lcamtuf.hack.pl/wtf/wtf-1.html. PS. Still looking for a good job: http://lcamtuf.na.export.pl/job.html _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- Re: Strange traffic Michal Zalewski (Oct 16)
- Re: Strange traffic Slawek (Oct 16)