Security Incidents mailing list archives

Munged Napster Sessions

From: spb () SCHADENFREUDE MESHUGGENEH NET (Stephen P. Berry)
Date: Mon, 13 Mar 2000 18:17:12 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Over the past week or so, I've started seeing a number of peculiar
traffic patterns associated with the napster browser.

If you're already familiar with what `normal' napster traffic looks
like, you might want to skip the following background information:

        The napster client allows the luser to search for and
        download MP3 files from other napster clients.  When the
        napster client is started, it connects to a central directory
        server, from which it can obtain information about what
        MP3 files are currently available, do searches, u.s.w.  If some
        client foo wants to download a particular MP3 from another
        client bar, foo will first attempt to contact bar directly.
        If this fails, foo will contact the central directory server,
        which will use its existing connection with bar to forward
        the request.  At this point bar will attempt to connect to
        foo, to allow foo to obtain the file.

        To an IDS sensor looking at the traffic on the external
        interface of a firewall doing NAT, this might look something
        like:

        952996524.800155 foo > fw: icmp: echo request
        952996525.198126 fw:65535 > foo:6699: S 1111111:1111111(0)
                win 8192 <mss 1460> (DF)
        952996525.536798 foo:6699 > fw:65535: S 2222222:2222222(0)
                ack 1111112 win 8760 <mss 1460> (DF)
        952996525.537759 fw:65535 > foo:6699: . ack 1 win 8670 (DF)

        ...u.s.w.  Where `fw' is the external IP address of the firewall
        behind which the client bar lives.  Just looking at the
        above fragment should tell you that there's some other data
        channel between foo and some machine behind fw, as the ICMP_ECHO
        will be dropped if NAT is many-to-one---the internal host
        sending the SYN to foo certainly won't see it.  And even if
        the internal host was getting the ICMP_ECHOs, this would still
        be fairly odd[0][1].

        Disclaimer:  I am neither a napster developer nor a napster
        user, so the above summary could quite possibly use some
        tuning.  If anyone wants to supply a more detailed description
        of napster mechanics, please do so.

Okay, so there's a fundamental Badness associated with the way
napster behaves in that an arbitrary client foo[2] outside your network
perimeter can cause a client bar inside your network perimeter to
initiate a connection back to foo, assuming the access policy across
the perimeter allows reasonably unrestricted outbound access[3].

None of this is news, and I only mention it all to establish context
for describing the odd traffic I've been seeing recently.

Over the past week or so, I've noticed (on a number of otherwise
unrelated[4] networks) some napster sessions with what appears to
be unrelated garbage insterted into the established TCP session.

Notably, the traffic of interest includes various bogus TCP flag
combinations (everything from SYN-FIN packets to full Xmas packets),
bogus TCP flags, and tiny fragments.

In absence of the established napster session, the anomalous traffic would
look powerfully like some sort of TCP fingerprinting attempt to
me.

So what I'm wondering is if there's some new widget out there that
uses napster to do TCP fingerprinting or[5] firewalk-ish network mapping.

Has anyone else seen this sort of thing?  Anyone got an alternate
hypothesis?

- -Steve

- -----
0     Unless you believe in coincidences.
1     One (of several) distressing things about this sort of traffic
      pattern is that---since it is `usual' for one relatively
      innocuous application---it can tend to create a blind spot
      through repetition.  I.e., knowing the above napster
      behaviour, one might choose to design a backdoor that listens
      for ICMP_ECHOs and attempts to establish a TCP connection on
      port 6699 on the source machine.
2     Mod the other client (foo) being behind a firewall which would block
      the initial SYN from the client on your network (bar).
3     Which may or may not be a good idea in your environment.  Discussion
      of the merits of this sort of policy is outside the scope of
      this message.
4     As far as I know, and with the exception of me collecting data
      from both.
5     Not an XOR.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4zaEaG3kIaxeRZl8RAn+nAKCh9Y3DeM/ZmxSI1Alv9GvcTR88dgCcDKNg
4gsYHB2r1XJhMKhLkwLOFmg=
=ujBu
-----END PGP SIGNATURE-----

Current thread:

'fatal:' sshd log message, (continued)
- - - 'fatal:' sshd log message Przemyslaw Frasunek (Mar 25)
    - sgi-dgl scanning Michael Stone (Mar 27)
    - unusual mail file Donald McLachlan (Mar 28)
    - Re: unusual mail file Ryan Hilton (Mar 28)
    - Front Page Extensions vventura () SIA PT (Mar 28)
    - Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
    - Syn attacks ? Klavs Klavsen (Mar 28)
    - Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)
- Re: lots of interest in port 109 (POP2) Donald McLachlan (Mar 07)
  - Re: lots of interest in port 109 (POP2) Paul Rice (Mar 13)
  - Munged Napster Sessions Stephen P. Berry (Mar 13)
    - Looking for Squid Proxies Cy Schubert - ITSD Open Systems Group (Mar 16)
    - Re: Munged Napster Sessions Vanja Hrustic (Mar 16)
    - Port 6112 Stuart Staniford-Chen (Mar 17)
    - Re: Port 6112 Robert Graham (Mar 20)
    - Re: Port 6112 Stuart Staniford-Chen (Mar 20)
    - nbname scans Rick Tortorella (Mar 20)
    - Port 27960 Stuart Staniford-Chen (Mar 17)
    - Re: Port 27960 steve balla (Mar 20)
    - Re: Port 27960 Odd Arne Beck (Mar 20)
    - Re: Port 27960 David Groves (Mar 21)

(Thread continues...)