nanog mailing list archives
Re: Napster.com moved to 64.124.41.0/24?
From: vern () ee lbl gov
Date: Tue, 12 Sep 2000 16:01:39 PDT
Anyway, apart from the questionable practice of using these IPs for access-lists, this information is useful for some of us in the measurement community to write detectors that are less likely to get false hits, such as might happen when counting Napster traffic based solely on TCP port numbers.
You might find the following paper interesting:
Detecting Backdoors
Yin Zhang (Cornell) & Vern Paxson (ACIRI)
Proc. USENIX Security Symposium, August 2000
http://www.aciri.org/vern/papers/backdoor-sec00.ps.gz
http://www.aciri.org/vern/papers/backdoor/index.html
Along with security-oriented backdoors such as Telnet & SSH, we also
developed backdoor detectors for Napster and Gnutella. We developed
general detectors that run on reconstructed TCP streams (implemented in
the Bro intrusion detection system) and also fast-cheap-and-definite-hack
detectors that use just tcpdump filters.
The tcpdump detector for Napster is:
# look for "SEND" or "GET" in a
# packet by itself (so payload of
# 4 or 3 bytes, respectively)
((ip[2:2] - ((ip[0]&0x0f)<<2) -
(tcp[12]>>2)) = 4 and
tcp[(tcp[12]>>2):4] = 0x53454e44) or
((ip[2:2] - ((ip[0]&0x0f)<<2) -
(tcp[12]>>2)) = 3 and
tcp[(tcp[12]>>2):2] = 0x4745 and
tcp[(tcp[12]>>2)+2]=0x54)
and the one for Gnutella is:
# look for "GNUTELLA " as first
# 9 characters of payload
tcp[(tcp[12]>>2):4] = 0x474e5554 and
tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41
and tcp[8+(tcp[12]>>2)] = 0x20
Another fun one to run (a total hack) is a root backdoor detector:
# look for '# ' in a packet with
# exactly 2 bytes of payload
tcp[(tcp[12]>>2):2] = 0x2320 and
(ip[2:2] - ((ip[0]&0x0f)<<2) -
(tcp[12]>>2)) == 2
All of these work surprisingly well, and with kernel BPF can run at
Gbps speeds.
Vern
Current thread:
- Napster.com moved to 64.124.41.0/24? Dave Plonka (Sep 11)
- <Possible follow-ups>
- Re: Napster.com moved to 64.124.41.0/24? vern (Sep 12)