Re: Munged Napster Sessions

[spb () SCHADENFREUDE MESHUGGENEH NET (Stephen P. Berry)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <38D15DEA.8A9B4345 () relaygroup com>, Vanja Hrustic writes:

> "Stephen P. Berry" wrote:
> > Notably, the traffic of interest includes various bogus TCP flag
> > combinations (everything from SYN-FIN packets to full Xmas packets),
> > bogus TCP flags, and tiny fragments.
> > In absence of the established napster session, the anomalous traffic would
> > look powerfully like some sort of TCP fingerprinting attempt to
> > me.

> A silly question: is any of sites involved located at *.demon.co.uk, by
> any chance?

Not silly at all;  I usually put a standard disclaimer in anything I
post here that the traffic in question did -not- originate in
demon.co.uk, gb.net, or any of that lot---for precisely the reasons
you discuss.

Has somebody coined a neologism for this phenomenona?  I'd taken to
calling elements of the patterns in question `pom packets' when discussing
them with some fellow analysis, but somehow that doesn't look quite
proper in a formal incident report.

> I think that quite many people these days are seeing false alarms caused
> by traffic which comes from demon. Demon blames it on "network
> equipment". For example, a guy (using demon.co.uk) is browsing my
> website, and during that session, a packet is sent to random high port
> (like 3xxxx). Packets are really strange; sometimes they have all bits
> set, sometimes not.

Even more interestingly, the traffic fragments that get hemorrhaged from
that end frequently appear to be valid snippets of other TCP[0] streams.
I.e., a bit of a URL, a fragment of MIME header, u.s.w.

One of the first bursts of bogus crap from demon.co.uk I ever analysed
first came to my attention because it contained a telnet login failure.

- From context, I gather that you're one of the lucky few who have received
replies from the providor(s) in question (I've sent several queries[1],
but never received an answer).  Did they happen to mention what
flavour of `network equipment' it was that they were fingering as the
culprit?  If anyone ever gives me any of that `network equipment' I
want to know, so I can trade it for a dog, shoot the dog, then claim
I never owned it.

Anyway (dashing back to the original point), no.  The peculiar napster-related
traffic I reported did -not- originate from demon.co.uk or thereabouts.

- -Steve

- -----
0     Or at least I can't recall seeing anything my TCP.
1     Once back when I started seeing it, a year and a half or two years
      ago;  again somewhat later when it reappeared after having been
      gone a couple months;  and then once again after that, just because
      I was feeling ornery over not having gotten a response.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE40l2sG3kIaxeRZl8RAjyBAJ9ZnwOliuQZOYQ6Db5T4mEIMfJg4ACg7VIm
LoI/fCfecGGNarAf/luxisY=
=L2Sv
-----END PGP SIGNATURE-----