OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: [FW1] Scary traffic - long

Re: [FW1] Scary traffic - long

dreamwvr (dreamwvrdreamwvr.com)
Tue, 22 Dec 1998 12:08:17 -0700

hi all,
last time i 'snoop'ed this was the exchange being made for javastations.
But that was a while ago it looks to be a simular scenario.
                                                        Regards,
                                                                dreamwvrdreamwvr.com
At 06:56 PM 12/21/98 +0200, Hendrik Visage wrote:
>roger nebel wrote:
>
>> RFC 1350 (ftp://ftp.isi.edu/in-notes/rfc1350.txt) mentions nothing about
>> broadcast, perhaps that's a local implementation deviation by
>> someone...i'd be interested in how / where you've seen that use.
>
>AFAIK: Sun machines make use of a broadcast to get the boot image:
>Procedure:
> 1) get IP address with RARP
> 2) send out broadcast tftp get image
> 3) bootparamd for root, install server and other info
> 4) mount root and continue
>
>I'm speaking under correction, but I think I've seen the Xyplex terminal
servers also
>having asked for the image and parameters via broadcast (At that stage not
much info
>except IP address, old BOOTP)
>
>Now the test (Solaris 2.6):
>
># tftp
>tftp> get 255.255.255.255:abcdef.prm
>Received 4703 bytes in 0.1 seconds
>
>Now the interesting part:
>===================
># snoop myne|egrep -v "RLOGIN|RSTAT|TCP|RPC|NIS|NFS|NTP"
>Using device /dev/hme (promiscuous mode)
> myne -> BROADCAST TFTP Read "abcdef.prm" (netascii)
> mainman -> myne TFTP Data block 1 (512 bytes)
> myne -> BROADCAST TFTP Ack block 1
> mainman -> myne TFTP Data block 2 (512 bytes)
> myne -> BROADCAST TFTP Ack block 2
> mainman -> myne TFTP Data block 3 (512 bytes)
> myne -> BROADCAST TFTP Ack block 3
> mainman -> myne TFTP Data block 4 (512 bytes)
> myne -> BROADCAST TFTP Ack block 4
> mainman -> myne TFTP Data block 5 (512 bytes)
> myne -> BROADCAST TFTP Ack block 5
> mainman -> myne TFTP Data block 6 (512 bytes)
> myne -> BROADCAST TFTP Ack block 6
> mainman -> myne TFTP Data block 7 (512 bytes)
> myne -> BROADCAST TFTP Ack block 7
> mainman -> myne TFTP Data block 8 (512 bytes)
> myne -> BROADCAST TFTP Ack block 8
> mainman -> myne TFTP Data block 9 (512 bytes)
> myne -> BROADCAST TFTP Ack block 9
> mainman -> myne TFTP Data block 10 (95 bytes) (last block)
> myne -> BROADCAST TFTP Ack block 10
>
>
>> Hendrik Visage wrote:
>> >
>> > AFAIK: Unfortunately, tftp DO have a broadcast "option", but it should
be only in LAN
>> > context, it sends out the broadcast, and then all the tftpservers will
check if they
>> > have the requested file, and then reply if they DO have the file.
>> >
>> > tftp is also "dangerous" in the sense that it's UDP, send out to a
port, and the
>> > server sends out via another port. Not all that easy to have a
stateful inspection
>> > code for tftp, and FW-1 doesn't handle it as "nicely" as "standard"
ftp :((
>> >
>
>
Reuters, London, February 29, 1998:
Scientists have announced discovering a meteorite which will strike the
earth in March, 2028. Millions of UNIX coders expressed relief for being
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

DREAMWVR.COM - TOTAL WEB INTEGRATION, DEVELOPMENT, DESIGN SERVICES.
Featuring Website Development and Web Strategies of a TOP Developer
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvrdreamwvr.com>
"As Unique as the Company You Keep." "===0 PGP Key Available
________________________________________________________________________
                                                                   

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:12:10 CDT