funsec mailing list archives
An interesting packet inspection problem
From: Drsolly <drsollyp () drsolly com>
Date: Sat, 14 Jan 2006 21:50:49 +0000 (GMT)
I'm having a very strange problem. I'm enclosing a test file, zipped (you'll see why). The file duff.12, is blocked somehow, and has been for the last two days or so. It's a 43 byte file: This is a test file xxxxxx End of the file But the x's are hexadecimal bc, six of them, and that's the "active ingredient". Because the blocking problem depends on the content of the file (files without the "active ingredient" transfer just fine), I'm thinking it's related to some kind of packet inspection, and that puts it into the security area, probably. The string of 6 bc hex, might not be the only possible "active ingredient", but it is one that I've narrowed down to. I have three locations, call them Watford, Chesham and Vodafone. Watford is my colocation (run by Cable and Wireless), Chesham is my home (ISP is Nildram) and Vodafone is a laptop connected via the Vodafone network, using GPRS over a mobile. I also have an AOL account. When the file is blocked, it's blocked using ftp, http and telnet. It isn't blocked if I Zip the file, or send it via ssh (because then the "active ingredient" isn't there, it's encrypted). Vodafone -> Watford OK Watford -> Vodafone Blocked AOL -> Watford OK AOL -> Chesham OK Watford -> Chesham Blocked Chesham -> Watford Blocked Vodafone -> Chesham OK Chesham -> Vodafone Blocked Watford -> Some guy in America - OK Watford -> Some guy in Switzerland - Blocked I put a server on the Watford location without any Firewall. Still blocked. So it isn't my firewall (I didn't think it was, but it's good to eliminate). It's pretty strange that A -> B is blcoked, while B -> A isn't. Using the Vodafone data, I can prove that it must be watford, but I can also prove that it must be Chesham. Well, this implies that the problem is at *both* Watford and Chesham, and must therefore be something that both Nildram and Cable&Wireless use, but the only thing I can think of there, is the London Interchange (Link), and I cannot believe that they would do any kind of packet inspection, the volumes are simply ginormous. The tech support people at Cable and Wireless (who seem to be Clueful) are baffled, and I don't blame them. With the data above, you can exponerate (or blame) Chesham and Watford. Of course, that isn't the only file that gets blocked. It's a minimalist test file. My feeling is there's some box floating around, that's doing packet inspection, and blocks anything that includes a sequence of six bc hex. You can access my server in Chesham. http://www.webinfosecurity.com/good.12 shows you a good file; that lets you check that there's nothing blocking your access to my server http://www.webinfosecurity.com/duff.12 is the 43 byte file that gets blocked. If anyone can suggest a solution to this, I'd be very happy. As in "Oh, I know what that is, it's the Furzewangle Carflugner, configured to prevent Bagpeller attacks". But I'm not optimistic that anyone might. But what I'd like people to do, is try to access the duff file, and if their access fails, to send me a traceroute to www.webinfosecurity.com As a reward, if I ever find out what is causing this rather interesting (and for me, intensely frustrating) problem, I'll post it here. Thanks
Attachment:
duff.zip
Description: duff file, zipped
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- An interesting packet inspection problem Drsolly (Jan 14)
- Re: An interesting packet inspection problem H D Moore (Jan 14)
- Re: An interesting packet inspection problem Gadi Evron (Jan 14)
- Re: An interesting packet inspection problem Drsolly (Jan 14)
- Re: An interesting packet inspection problem Gadi Evron (Jan 14)
- Re: An interesting packet inspection problem Valdis . Kletnieks (Jan 14)
- Re: An interesting packet inspection problem Jeff Kell (Jan 14)
- RE: [AKO Content Warning - Attachments] An interesting packet inspection problem Stephen Villano (Jan 15)
- Re: An interesting packet inspection problem Drsolly (Jan 15)
- Re: An interesting packet inspection problem Gadi Evron (Jan 15)
- Re: An interesting packet inspection problem Valdis . Kletnieks (Jan 15)
- Re: An interesting packet inspection problem Drsolly (Jan 15)
(Thread continues...)
- Re: An interesting packet inspection problem H D Moore (Jan 14)