Security Incidents mailing list archives
Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?)
From: "Stephen P. Berry" <spb () MESHUGGENEH NET>
Date: Fri, 16 Feb 2001 15:23:58 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <200102162157.QAA15478 () narq avian org>, *Hobbit* writes:
Windows napster clients attempt to ping everyone in the results list from a song search, to attempt to get speed metrics on who might be the best to download from. So yes, that's usually 100 separate and distinct pings everytime one of the lusers searches for a tune.
I believe that in fact -all- Napster clients attempt to do this by
default.
The interesting thing isn't that they're pinging but rather:
-A whole bunch of clients appear to creat echo requests
with the same ICMP ID (decimal 666)[0]
-Not all clients (or even the majority of them[1]) exhibit
this behaviour
- -Steve
- -----
0 Several orders of magnitude more frequently than one would expect
if the IDs were selected randomly.
1 Based on the traffic I've observed on the wire.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6jbaJG3kIaxeRZl8RAnvKAKDPMeAMWL3wRiwVdV5GGLBtHEjTDQCg48tO
6Rnj1ykVlAkke/nEF6eYGcU=
=d4Cu
-----END PGP SIGNATURE-----
Current thread:
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) *Hobbit* (Feb 16)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 24)
- <Possible follow-ups>
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Erwin Geirnaert (Feb 19)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)