OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Strange traffic
From: Slawek (sgpTELSATGP.COM.PL)
Date: Mon Oct 16 2000 - 14:26:36 CDT

Hi Michal, hi list,

If somebody wants to take a look I've found an old idea, in an old email :)

http://www.securityportal.com/list-archive/firewall-wizards/1998/Dec/0106.ht
ml

It looks like it's being implemented by Hotmail now..

Bye,
Slawek

Monday, October 16, 2000 11:29 AM +0200, Michal Zalewski wrote:
> On Sat, 14 Oct 2000, Michal Zalewski wrote:
>
> [ This post reflects my presonal thougts and beliefs, which don't have ]
> [ to be true. Standard disclaimer applies. Aleph - I wonder what should ]
> [ I do with this kind of news - feel free to bounce it or forward it ]
> [ somewhere else... ]
>
> > During the investigation, we have noticed really interesting
> > activities from several other systems as well - for example, some not
> > really nice examples of client invigilation done by the biggest web
> > companies. But for now, we are not going to start the hype, and would
> > like what readers of this list think about the activity we have seen.
>
> Ok, I decided to publish one of the most interesting things - the way
> Hotmail (currently owned by Microsoft, right?) and other huge web
> companies are dealing with the customers. Take a look on it - this is a
> log from several different networks of it's night activity:
>
> Thu Oct 12 14:12:47 2000 : (38) [ttl] Generic TTL scan candidate
> Thu Oct 12 14:12:47 2000 : + TCP 0x14 216.33.148.250:80 ->
> 193.XX.XX.34:63765 ttl=1 off=0x4000 id=0x2d05 tos=0x0 len=40 phys=46
>
> Sun Oct 15 21:45:18 2000 : (38) [ttl] Generic TTL scan candidate
> Sun Oct 15 21:45:18 2000 : + TCP 0x14 216.111.248.10:80 ->
> 157.158.181.37:1325 ttl=1 off=0x0 id=0xff20 tos=0x0 len=40 phys=40
>
>
> [...etc, etc, numerous logs from several networks...]
>
> One of these box is, in fact www.law4.hotmail.com. Such activity has been
> noticed both from Hotmail and ADFORCE Corp. servers. I believe it could be
> explained with "load balancing implementation" - we've seen such
> explainations in another case - but I am in serious doubt it's true. If
> you really have to, you can safely measure distance using normal packets.
> The same applies to RTT/packet loss, which is - in fact - much more
> important for intelligent load balancing (where numerous locations are
> available). IMHO, this is an attempt to trace path to system using open
> TCP connection - so it will bypass statefull firewalls and so on, showing
> full path in most cases. I don't think this information is collected for
> amusement or for "better customer service" - well, in fact, using hackish
> methods to collect information about my network infrastructure without my
> knowledge are at least not ethical - especially in case of such big web
> service as Hotmail or AdForce.
>
> How we have noticed it? Our RST+ACK project, described previously, was not
> related to RST+ACK TCP packets only - we started regular network
> monitoring looking for all strange activity - packets to not existing
> hosts, packets with unusual settings etc. All using dedicated software...
> Most of them can be explained with scan attempts from script kiddies using
> traditional tools, but some of them - not really.
>
> I will try to keep posting the most interesting results of RST+ACK case
> study, as we already lost all hope for explainations :P
>
> Another time, I'd like to remind that full documentation can be found at
> http://lcamtuf.hack.pl/wtf/ (polish only :/) - it's 240 kB of logs,
> hypotestis and analysis, which couldn't be done without extensive support
> from numerous people - http://lcamtuf.hack.pl/wtf/wtf-1.html.