Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [FW1] Scary traffic - long

From: Hendrik Visage <hendrik () sdn co za>
Date: Wed, 23 Dec 1998 11:50:52 +0200
dreamwvr wrote:


hi all,
last time i 'snoop'ed this was the exchange being made for javastations.
But that was a while ago it looks to be a simular scenario.


Gues what?
Javastations are (mostly) Sun machines which needs to get their boot images ;)

GReetz
Hendrik



                                                        Regards,
                                                                dreamwvr () dreamwvr com
At 06:56 PM 12/21/98 +0200, Hendrik Visage wrote:

roger nebel wrote:


RFC 1350 (ftp://ftp.isi.edu/in-notes/rfc1350.txt) mentions nothing about
broadcast, perhaps that's a local implementation deviation by
someone...i'd be interested in how / where you've seen that use.


AFAIK: Sun machines make use of a broadcast to get the boot image:
Procedure:
1) get IP address with RARP
2) send out broadcast tftp get image
3) bootparamd for root, install server and other info
4) mount root and continue

I'm speaking under correction, but I think I've seen the Xyplex terminal

servers also

having asked for the image and parameters via broadcast (At that stage not

much info

except IP address, old BOOTP)

Now the test (Solaris 2.6):

# tftp
tftp> get 255.255.255.255:abcdef.prm
Received 4703 bytes in 0.1 seconds

Now the interesting part:
===================
# snoop myne|egrep -v "RLOGIN|RSTAT|TCP|RPC|NIS|NFS|NTP"
Using device /dev/hme (promiscuous mode)
       myne -> BROADCAST    TFTP Read "abcdef.prm" (netascii)
    mainman -> myne         TFTP Data block 1 (512 bytes)
       myne -> BROADCAST    TFTP Ack  block 1
    mainman -> myne         TFTP Data block 2 (512 bytes)
       myne -> BROADCAST    TFTP Ack  block 2
    mainman -> myne         TFTP Data block 3 (512 bytes)
       myne -> BROADCAST    TFTP Ack  block 3
    mainman -> myne         TFTP Data block 4 (512 bytes)
       myne -> BROADCAST    TFTP Ack  block 4
    mainman -> myne         TFTP Data block 5 (512 bytes)
       myne -> BROADCAST    TFTP Ack  block 5
    mainman -> myne         TFTP Data block 6 (512 bytes)
       myne -> BROADCAST    TFTP Ack  block 6
    mainman -> myne         TFTP Data block 7 (512 bytes)
       myne -> BROADCAST    TFTP Ack  block 7
    mainman -> myne         TFTP Data block 8 (512 bytes)
       myne -> BROADCAST    TFTP Ack  block 8
    mainman -> myne         TFTP Data block 9 (512 bytes)
       myne -> BROADCAST    TFTP Ack  block 9
    mainman -> myne         TFTP Data block 10 (95 bytes) (last block)
       myne -> BROADCAST    TFTP Ack  block 10



Hendrik Visage wrote:


AFAIK: Unfortunately, tftp DO have a broadcast "option", but it should

be only in LAN

context, it sends out the broadcast, and then all the tftpservers will

check if they

have the requested file, and then reply if they DO have the file.

tftp is also "dangerous" in the sense that it's UDP, send out to a

port, and the

server sends out via another port. Not all that easy to have a

stateful inspection

code for tftp, and FW-1 doesn't handle it as "nicely" as "standard"

ftp :((






Reuters, London, February 29, 1998:
Scientists have announced discovering a meteorite which will strike the
earth in March, 2028.  Millions of UNIX coders expressed relief for being
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

DREAMWVR.COM - TOTAL WEB INTEGRATION, DEVELOPMENT, DESIGN SERVICES.
Featuring Website Development and Web Strategies of a TOP Developer
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvr () dreamwvr com>
"As Unique as the Company You Keep."        "===0 PGP Key Available
________________________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: