Security Incidents mailing list archives
Re: Munged Napster Sessions
From: spb () SCHADENFREUDE MESHUGGENEH NET (Stephen P. Berry)
Date: Fri, 17 Mar 2000 08:30:49 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <38D15DEA.8A9B4345 () relaygroup com>, Vanja Hrustic writes:
"Stephen P. Berry" wrote:Notably, the traffic of interest includes various bogus TCP flag combinations (everything from SYN-FIN packets to full Xmas packets), bogus TCP flags, and tiny fragments. In absence of the established napster session, the anomalous traffic would look powerfully like some sort of TCP fingerprinting attempt to me.
A silly question: is any of sites involved located at *.demon.co.uk, by any chance?
Not silly at all; I usually put a standard disclaimer in anything I post here that the traffic in question did -not- originate in demon.co.uk, gb.net, or any of that lot---for precisely the reasons you discuss. Has somebody coined a neologism for this phenomenona? I'd taken to calling elements of the patterns in question `pom packets' when discussing them with some fellow analysis, but somehow that doesn't look quite proper in a formal incident report.
I think that quite many people these days are seeing false alarms caused by traffic which comes from demon. Demon blames it on "network equipment". For example, a guy (using demon.co.uk) is browsing my website, and during that session, a packet is sent to random high port (like 3xxxx). Packets are really strange; sometimes they have all bits set, sometimes not.
Even more interestingly, the traffic fragments that get hemorrhaged from that end frequently appear to be valid snippets of other TCP[0] streams. I.e., a bit of a URL, a fragment of MIME header, u.s.w. One of the first bursts of bogus crap from demon.co.uk I ever analysed first came to my attention because it contained a telnet login failure. - From context, I gather that you're one of the lucky few who have received replies from the providor(s) in question (I've sent several queries[1], but never received an answer). Did they happen to mention what flavour of `network equipment' it was that they were fingering as the culprit? If anyone ever gives me any of that `network equipment' I want to know, so I can trade it for a dog, shoot the dog, then claim I never owned it. Anyway (dashing back to the original point), no. The peculiar napster-related traffic I reported did -not- originate from demon.co.uk or thereabouts. - -Steve - ----- 0 Or at least I can't recall seeing anything my TCP. 1 Once back when I started seeing it, a year and a half or two years ago; again somewhat later when it reappeared after having been gone a couple months; and then once again after that, just because I was feeling ornery over not having gotten a response. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE40l2sG3kIaxeRZl8RAjyBAJ9ZnwOliuQZOYQ6Db5T4mEIMfJg4ACg7VIm LoI/fCfecGGNarAf/luxisY= =L2Sv -----END PGP SIGNATURE-----
Current thread:
- Re: Munged Napster Sessions Stephen P. Berry (Mar 17)
- <Possible follow-ups>
- Re: Munged Napster Sessions Aussie (Mar 17)
- Re: Munged Napster Sessions Michael Damm (Mar 20)
- Re: Munged Napster Sessions Fyodor (Mar 20)