Re: Some unusual network features

[Mike Hoskins <mike () adept org>]

Paul Johnston wrote:
> I've come accross the following anomoloies while auditing a network, can 
> anyone help explain what they are:

just a couple possibilities...  but keeping an open mind is key.  :)

> 1) Ports that "hang open" i.e. you can connect, send data ok, but the 
> other end never sends any data and never closes the connection.

this could be a firewalled port not sending RSTs...  this is 
particularly bad behavior for things like mail servers which hang for 
the full TCP timeout (varies from platform to platform and can be rather 
long) before dropping requests for "common" things like ident.  a 
real-world example is a mail server sitting behind a Cisco PIX without 
'service resetinbound' in the config.

> 2) HTTP ports that function normally when you issue some methods, but on 
> other methods (including the imaginary method "SILLY") cause the 
> connection to "hang open" like in (1).

perhaps a proxy with similar behavior as in 1 above.  (sorry, i'm not a 
big proxy guy.)  often in place to stop things like the IIS WEBDAV 
exploits.  this is usually not as catastrophic since the hang only 
occurs when requests for known "bad data" are made...  i.e. HTTP methods 
security policy disallows.

> 3) Ports where the TTL is different on the SYN reply to the rest of the 
> connection. ipid's also imply that different hosts are handling the SYN 
> and the rest of the connection.

possibly NAT.  i.e. packets belonging to the initial TCP setup are given 
a lower lifetime than those associated with established connections on 
my BSD/IPFW boxes.

> I've got some theories, but I'm not sure how much I'm jumping to 
> conclusions.

you could share your theories...  our point out how mine are wrong.  :) 
 just trying to throw out some things off the top of my head.


---------------------------------------------------------------------------
----------------------------------------------------------------------------