Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: Re: Strange traffic
From: Slawek (sgpTELSATGP.COM.PL)
Date: Mon Oct 16 2000 - 14:26:36 CDT
- Next message: Rick Ballard: "Re: Interesting reply"
- Previous message: Ed Padin: "Is this a new VBS virus (plan colombia) ?"
- In reply to: Michal Zalewski: "Re: Strange traffic"
- Reply: Slawek: "Re: Strange traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Michal, hi list,
If somebody wants to take a look I've found an old idea, in an old email :)
It looks like it's being implemented by Hotmail now..
Monday, October 16, 2000 11:29 AM +0200, Michal Zalewski wrote:
> On Sat, 14 Oct 2000, Michal Zalewski wrote:
> [ This post reflects my presonal thougts and beliefs, which don't have ]
> [ to be true. Standard disclaimer applies. Aleph - I wonder what should ]
> [ I do with this kind of news - feel free to bounce it or forward it ]
> [ somewhere else... ]
> > During the investigation, we have noticed really interesting
> > activities from several other systems as well - for example, some not
> > really nice examples of client invigilation done by the biggest web
> > companies. But for now, we are not going to start the hype, and would
> > like what readers of this list think about the activity we have seen.
> Ok, I decided to publish one of the most interesting things - the way
> Hotmail (currently owned by Microsoft, right?) and other huge web
> companies are dealing with the customers. Take a look on it - this is a
> log from several different networks of it's night activity:
> Thu Oct 12 14:12:47 2000 : (38) [ttl] Generic TTL scan candidate
> Thu Oct 12 14:12:47 2000 : + TCP 0x14 22.214.171.124:80 ->
> 193.XX.XX.34:63765 ttl=1 off=0x4000 id=0x2d05 tos=0x0 len=40 phys=46
> Sun Oct 15 21:45:18 2000 : (38) [ttl] Generic TTL scan candidate
> Sun Oct 15 21:45:18 2000 : + TCP 0x14 126.96.36.199:80 ->
> 188.8.131.52:1325 ttl=1 off=0x0 id=0xff20 tos=0x0 len=40 phys=40
> [...etc, etc, numerous logs from several networks...]
> One of these box is, in fact www.law4.hotmail.com. Such activity has been
> noticed both from Hotmail and ADFORCE Corp. servers. I believe it could be
> explained with "load balancing implementation" - we've seen such
> explainations in another case - but I am in serious doubt it's true. If
> you really have to, you can safely measure distance using normal packets.
> The same applies to RTT/packet loss, which is - in fact - much more
> important for intelligent load balancing (where numerous locations are
> available). IMHO, this is an attempt to trace path to system using open
> TCP connection - so it will bypass statefull firewalls and so on, showing
> full path in most cases. I don't think this information is collected for
> amusement or for "better customer service" - well, in fact, using hackish
> methods to collect information about my network infrastructure without my
> knowledge are at least not ethical - especially in case of such big web
> service as Hotmail or AdForce.
> How we have noticed it? Our RST+ACK project, described previously, was not
> related to RST+ACK TCP packets only - we started regular network
> monitoring looking for all strange activity - packets to not existing
> hosts, packets with unusual settings etc. All using dedicated software...
> Most of them can be explained with scan attempts from script kiddies using
> traditional tools, but some of them - not really.
> I will try to keep posting the most interesting results of RST+ACK case
> study, as we already lost all hope for explainations :P
> Another time, I'd like to remind that full documentation can be found at
> http://lcamtuf.hack.pl/wtf/ (polish only :/) - it's 240 kB of logs,
> hypotestis and analysis, which couldn't be done without extensive support
> from numerous people - http://lcamtuf.hack.pl/wtf/wtf-1.html.