|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: DUP packet replies at tvguide.com
From: Christopher L. Morrow (cmorrow
UU.NET)Date: Tue Mar 14 2000 - 23:13:55 CST
- Next message: Bob: "Re: DUP packet replies at tvguide.com"
- Previous message: Warren Belfer: "Re: TCP port 3218"
- In reply to: GALES,SIMON (Non-A-ColSprings,ex1): "Re: DUP packet replies at tvguide.com"
- Next in thread: Bob: "Re: DUP packet replies at tvguide.com"
- Reply: Christopher L. Morrow: "Re: DUP packet replies at tvguide.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
While poking around a few months ago I noticed that www.Dell.com will
respond with a set of dups on ping... it's a NT system (or so the HTTPD
says) and I've noticed that there are more than one hostname (meaning it
could be a 'wolfpack' cluster server?)... Is this another example of ping
not being a "balanced" service? (or rather could this be another example
like TVGuide.com?)
--Chris
#######################################################
## UUNET Technologies, Inc. ##
## Customer Router Security Engineer ##
## (Internet Abuse Team) ##
## (W)703-289-8479 (C)703-598-2691 (P)1-888-462-3508 ##
#######################################################
On Mon, 13 Mar 2000, GALES,SIMON (Non-A-ColSprings,ex1) wrote:
> Could this be WLBS (Windows Load Balancing Service) in all it's glory?
> Since Windows ping doesn't report the extra replies, it would have gone
> unnoticed by many. Next time I have WLBS setup in our lab I'll test for
> this and let the list know.
>
> Perhaps ping needs to be setup as a 'balanced' service to prevent all the
> pooled servers from responding...
>
> Simon Gales
> SGalesOnSphere.com
>
> -----Original Message-----
> From: Bob [mailto:bobCAVU.COM]
> Sent: Thursday, March 09, 2000 10:27 AM
> To: INCIDENTSSECURITYFOCUS.COM
> Subject: DUP packet replies at tvguide.com
>
>
> Presently tvguide.com (144.198.225.50) is suffering a strange problem in
> that every ping packet to it gets about 43 duplicate replies, with a few
> having a TTL one higher then the rest. This problem can be seen from
> Linux (and probably UNIX); Windows ping does not detect the problem.
>
> A traceroute is normal. A ping to the system just before this one in the
> traceroute list is normal.
>
> The duplicate replies also seems to be a problem with other protocols such
> as TCP/IP (telnet) to port 80 (HTTP). There also is, not surprising, poor
> response time from their web server.
>
> This probably is a misconfiguration rather than an intrusion. Their
> DNS was changed in the past few days. Perhaps they attempted "round robin"
> routing to distribute the load among a server farm and misconfigured it
> to send each reqest to each server.
>
> They appear to be an all-Microsoft shop. A LAN analyzer on their
> network to look at MAC addresses would answer this question quickly. I
> informed their night shift of this problem.
>
> A sample ping follows:
>
> % ping tvguide.com
> PING tvguide.com (144.198.225.50): 56 data bytes
> 64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=196.7 ms
> 64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=206.8 ms (DUP!)
> 64 bytes from 144.198.225.50: icmp_seq=0 ttl=115 time=216.8 ms (DUP!)
> 64 bytes from 144.198.225.50: icmp_seq=0 ttl=115 time=236.9 ms (DUP!)
> [another 30 or so DUP replies]
> 64 bytes from 144.198.225.50: icmp_seq=0 ttl=115 time=537.0 ms (DUP!)
> 64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=547.0 ms (DUP!)
> 64 bytes from 144.198.225.50: icmp_seq=0 ttl=116 time=549.2 ms (DUP!)
> 64 bytes from 144.198.225.50: icmp_seq=1 ttl=116 time=200.5 ms
> 64 bytes from 144.198.225.50: icmp_seq=1 ttl=115 time=210.6 ms (DUP!)
> ...
>
>
> Trying TCP/IP by doing "telnet tvguide.com 80" shows the same problem.
> (I realize that my input was not valid HTTP but it shows the duplicate
> replies. My network addresses have been obscured in this email.)
>
> telnet tvguide.com 80
> Connected to tvguide.com.
> Escape character is '^]'.
> /index.html
>
> HTTP/1.1 400 Bad Request
> Server: Microsoft-IIS/4.0
> Date: Thu, 09 Mar 2000 06:05:24 GMT
> Content-Type: text/html
> Content-Length: 87
>
> <html><head><title>Error</title></head><body>The parameter is incorrect.
> </body></html>Connection closed by foreign host.
>
>
> A tcpdump during the telnet shows:
>
> 01:05:18.308632 us.8275 > 144.198.225.50.telnet: S 3282987830:3282987830(0)
> win 512 <mss 1460> [tos 0x10]
> 01:05:21.308632 us.8275 > 144.198.225.50.telnet: S 3282987830:3282987830(0)
> win 32120 <mss 1460> [tos 0x10]
> 01:05:27.308632 us.8275 > 144.198.225.50.telnet: S 3282987830:3282987830(0)
> win 32120 <mss 1460> [tos 0x10]
> 01:05:37.768632 us.8276 > 144.198.225.50.http: S 3369032143:3369032143(0)
> win 512 <mss 1460> [tos 0x10]
> 01:05:37.808632 144.198.225.50.http > us.8276: S 874761942:874761942(0) ack
> 3 369032144 win 8760 <mss 1460> (DF)
> 01:05:37.808632 us.8276 > 144.198.225.50.http: . ack 1 win 32120 (DF) [tos
> 0x10]
> 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
> 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
> 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
> 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
> 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
> 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
> 01:05:37.808632 144.198.225.50.http > us.8276: . ack 1 win 8760 (DF)
> 01:05:57.598632 us.8276 > 144.198.225.50.http: P 1:14(13) ack 1 win 32120
> (DF) [tos 0x10]
> 01:05:57.648632 144.198.225.50.http > us.8276: . ack 14 win 8747 (DF)
> 01:05:58.978632 us.8276 > 144.198.225.50.http: P 14:16(2) ack 1 win 32120
> (DF) [tos 0x10]
> 01:05:59.018632 144.198.225.50.http > us.8276: P 1:225(224) ack 16 win 8745
> (DF)
> 01:05:59.018632 144.198.225.50.http > us.8276: F 225:225(0) ack 16 win 8745
> (DF)
> 01:05:59.018632 us.8276 > 144.198.225.50.http: . ack 226 win 31895 (DF) [tos
> 0x10]
> 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
> 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
> 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
> 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
> 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
> 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
> 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
> 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
> 01:05:59.018632 144.198.225.50.http > us.8276: . ack 16 win 8745 (DF)
> 01:05:59.018632 us.8276 > 144.198.225.50.http: F 16:16(0) ack 226 win 32120
> [tos 0x10]
> 01:05:59.058632 144.198.225.50.http > us.8276: . ack 17 win 8745 (DF)
> 01:05:59.058632 144.198.225.50.http > us.8276: . ack 17 win 0
>
> Mike O'Shaughnessy, mikeocmpsolv.com, alerted me to the ping problem
> and we worked together to analyze it.
>
> Bob Toxen
> bobcavu.com
> http://www.cavu.com
> http://www.cavu.com/sunset.html [Sunset Computer]
> ftp://ftp.mindspring.com/users/cavu/century.c [Y2K CMOS clock fix for
> Linux]
> ftp://ftp.mindspring.com/users/cavu/hwclock.c [Y2K hwclock for broken
> CMOS]
> Fly-By-Day Consulting, Inc. "Don't go with a fly-by-night outfit!"
>
- Next message: Bob: "Re: DUP packet replies at tvguide.com"
- Previous message: Warren Belfer: "Re: TCP port 3218"
- In reply to: GALES,SIMON (Non-A-ColSprings,ex1): "Re: DUP packet replies at tvguide.com"
- Next in thread: Bob: "Re: DUP packet replies at tvguide.com"
- Reply: Christopher L. Morrow: "Re: DUP packet replies at tvguide.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]