TCP port 6699 (follow up) & non standard traffic on standard ports

[mabrown () securepipe com]

Good morning all,


point 1
-------------
I received the following from an operation called Napster in response
to one of our standard incident reports, involving inbound packets
on port 6699.  Their website appears to be available at
http://www.napster.com/, and the product description from the email
seems to fit the description afforded on their website.

This may be of interest to some of you folks who were asking about this
port a few weeks ago.


point 2
-------------
As a side note, I have noticed that we have touched on the topic of non
HTTP protocols (e.g., SOAP) being engineered to be passed over HTTP,
just the way that these Napster folks appear to be (ab)using the ports
for FTP & telnet.

I can only imagine that, in an effort to make an end-run around
firewalls and proxies, many software developers will begin trying to
tunnel all kinds of traffic over standard ports.  It will doubtless be
much more difficult to tunnel non-standard traffic over proxies than
over masquerading firewalls.

Any thoughts on this?

-Martin


> From jpr5 () darkridge com (address does not seem to be recognized)
-----------------------------------------------------------------

   This is a response to a recent communication we received from you
   regarding a potential attack on your network.  We appreciate your
   consideration in bringing this matter to our attention.

   The connections you have recorded on your network and relayed to us
   are neither probes nor attacks on your network.  Instead, the
   activity you have observed is part of an automatic configuration of
   the Napster mp3 client.  

   To explain briefly, when a user installs Napster on their system
   and logs in for the first time, they are prompted to automatically
   configure their file transfer settings.  Since file transfers are
   done client to client, this involves finding an acceptable port on
   the client from which it can listen for incoming connections,
   should another client wish to download a file from it.  As part of
   the automatic configuration, the Napster server connects back to
   the client over a small range of port numbers in an attempt to
   negotiate an appropriate port.  A few of these ports are
   non-standard, such as '6699'.  Others are well-known, such as
   telnet (23) and ftp (21).  This is done so as to allow users to
   bypass some firewalls, which may allow well-known traffic to pass
   through.  Since this cannot be determined passively, the Napster
   server must actively try to seek a working port.

   We apologize for any alarm or inconvenience this activity has
   caused, but hope that the above explanation suffices to put you at
   ease, insofar as the reported activity is in no way related to any
   attempt to penetrate into or discern information about your
   network.  Please do not hesitate to contact me directly in the
   future, should you have any other security-related concerns.

   Thank you for your time.


Jordan Ritter
Security Director, Network Operations
Napster, Inc.     (650 373 3800 x204)

All the music you want, when you want it.
--------------------------