Security Incidents mailing list archives

Re: Port 6688 Traffic

From: Vern Paxson <vern () EE LBL GOV>
Date: Mon, 25 Sep 2000 13:47:28 PDT

I am seeing "suspicious" traffic on port 6688. I have not found

references

to this port in the ususal resources (/etc/services,


My guess is that this is Gnutella


It's actually Napster, per the previous poster.

Try to type a http request for a file and see what happens. Gnutella
works with a http-like protocol for downloading the files (don't know
if it's completely http).


It's not completely HTTP - there's some initial handshaking, for one.

For more on detecting Napster & Gnutella (and other protocols), see the paper:

        Detecting Backdoors

        Yin Zhang (Cornell) & Vern Paxson (ACIRI)

        Proc. USENIX Security Symposium, August 2000

        http://www.aciri.org/vern/papers/backdoor-sec00.ps.gz
        http://www.aciri.org/vern/papers/backdoor/index.html

- Vern

Current thread:

Port 6688 Traffic Crist Clark (Sep 24)
- Re: Port 6688 Traffic Patrick van Zweden (Sep 25)
- Re: Port 6688 Traffic H D Moore (Sep 25)
- <Possible follow-ups>
- Re: Port 6688 Traffic Vern Paxson (Sep 26)