Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange traffic

From: Slawek <sgp () TELSATGP COM PL>
Date: Mon, 16 Oct 2000 21:26:36 +0200
Hi Michal, hi list,


If somebody wants to take a look I've found an old idea, in an old email :)

http://www.securityportal.com/list-archive/firewall-wizards/1998/Dec/0106.ht
ml

It looks like it's being implemented by Hotmail now..


Bye,
Slawek


Monday, October 16, 2000 11:29 AM +0200, Michal Zalewski wrote:

On Sat, 14 Oct 2000, Michal Zalewski wrote:

[ This post reflects my presonal thougts and beliefs, which don't have  ]
[ to be true. Standard disclaimer applies. Aleph - I wonder what should ]
[ I do with this kind of news - feel free to bounce it or forward it    ]
[ somewhere else... ]


During the investigation, we have noticed really interesting
activities from several other systems as well - for example, some not
really nice examples of client invigilation done by the biggest web
companies. But for now, we are not going to start the hype, and would
like what readers of this list think about the activity we have seen.


Ok, I decided to publish one of the most interesting things - the way
Hotmail (currently owned by Microsoft, right?) and other huge web
companies are dealing with the customers. Take a look on it - this is a
log from several different networks of it's night activity:

Thu Oct 12 14:12:47 2000 : (38) [ttl] Generic TTL scan candidate
Thu Oct 12 14:12:47 2000 : + TCP 0x14 216.33.148.250:80 ->
193.XX.XX.34:63765 ttl=1 off=0x4000 id=0x2d05 tos=0x0 len=40 phys=46

Sun Oct 15 21:45:18 2000 : (38) [ttl] Generic TTL scan candidate
Sun Oct 15 21:45:18 2000 : + TCP 0x14 216.111.248.10:80 ->
157.158.181.37:1325 ttl=1 off=0x0 id=0xff20 tos=0x0 len=40 phys=40


[...etc, etc, numerous logs from several networks...]

One of these box is, in fact www.law4.hotmail.com. Such activity has been
noticed both from Hotmail and ADFORCE Corp. servers. I believe it could be
explained with "load balancing implementation" - we've seen such
explainations in another case - but I am in serious doubt it's true. If
you really have to, you can safely measure distance using normal packets.
The same applies to RTT/packet loss, which is - in fact - much more
important for intelligent load balancing (where numerous locations are
available). IMHO, this is an attempt to trace path to system using open
TCP connection - so it will bypass statefull firewalls and so on, showing
full path in most cases. I don't think this information is collected for
amusement or for "better customer service" - well, in fact, using hackish
methods to collect information about my network infrastructure without my
knowledge are at least not ethical - especially in case of such big web
service as Hotmail or AdForce.

How we have noticed it? Our RST+ACK project, described previously, was not
related to RST+ACK TCP packets only - we started regular network
monitoring looking for all strange activity - packets to not existing
hosts, packets with unusual settings etc. All using dedicated software...
Most of them can be explained with scan attempts from script kiddies using
traditional tools, but some of them - not really.

I will try to keep posting the most interesting results of RST+ACK case
study, as we already lost all hope for explainations :P

Another time, I'd like to remind that full documentation can be found at
http://lcamtuf.hack.pl/wtf/ (polish only :/) - it's 240 kB of logs,
hypotestis and analysis, which couldn't be done without extensive support
from numerous people - http://lcamtuf.hack.pl/wtf/wtf-1.html.
Previous By Date Next
Previous By Thread Next

Current thread: