Museum Of Broken Packets 127
hobbicik writes: "Quote from the page: 'The purpose of this museum is to provide a shelter for strange, unwanted, malformed packets - abandoned and doomed freaks of nature - as we, mere mortals, meet them on twisted paths of our grand journey called life.'" Interesting and amusing idea. Most of the wasted packets I get are IIS worm attempts -- not nearly as interesting.
Hmm (Score:3, Funny)
Re:Hmm (Score:2)
Be sure (Score:2, Offtopic)
Authenticity? (Score:1, Interesting)
Re:Authenticity? (Score:2)
Re:Authenticity? (Score:1)
Paranoid? Or are they really out to get us? (Score:5, Interesting)
"This packet arrived from www.law10.hotmail.com, one of web servers handling Hotmail traffic... But unlike standalone traceroute packets, this legitimate traffic will be forwarded thru most of stateful firewalls, allowing you to obtain a valuable information about their internal network structure, distance and such - and all this with virtually no possibility to be detected. Well done - this covert packet looked so innocent... "
Re:Paranoid? Or are they really out to get us? (Score:2, Informative)
It is as important to control what is leaving your network as what is coming in.
Re:Paranoid? Or are they really out to get us? (Score:3, Informative)
Re:Paranoid? Or are they really out to get us? (Score:5, Informative)
Again, this will not work if your firewall drops the outbound ICMP packets. In the case of tcptraceroute you will eventually get an ACK back from the server, so you will know how many hops it behind the firewall, but no other information.
The hotmail trick is somewhat more insidious because it is used in the midst of a session the firewall will usually pass the traffic to a normally protected (even NAT'd) host.
Both are easily blocked with outbound filters.
Re:Paranoid? Or are they really out to get us? (Score:1)
> because it is used in the midst of a session the
> firewall will usually pass the traffic to a normally
> protected (even NAT'd) host.
... which couldn't have been reached without sending that first SYN, so you might as well traceroute it with the SYN in the first place.
I fail to see the significance of the difference.
Re:Paranoid? Or are they really out to get us? (Score:2)
When the server recieves a packet with the SYN flag set it either replies with a SYN/ACK, at which point the client sends an ACK and the session is established.
The SYN traceroute will only work with host that are directly accessable from the outside and is useful for tracing to a publicly available server. The Hotmail trick is useful for tracing to non-publicly available clients.
Re:Paranoid? Or are they really out to get us? (Score:1)
Re:Paranoid? Or are they really out to get us? (Score:1)
Last Night while surfing a forum.
I thought quite the same.
I was surfing from behind a *nix box,
ala lucent v.42, without domain name.
Natted and routing for all, no local
ports on the masking box to call..
running old kernel builds I like and
tcpservices large and small..
BUt: What appears to my pixelated eyes and
hunch postured frame?
but konqueror: browsing and moving and
abiding, in a remote hacksters game..
aghast and afraid, I hit the kill switch,
rueing and reviling the impulse which,
made me a lamer in me own home, and
caused an fsck 30 minutes long...
Not to mention the reintall, log analysis,
etc..
NO BS this really happened.
Re:Paranoid? Or are they really out to get us? (Score:1)
I'm sure that... (Score:4, Funny)
Taffyd.
Hmmm (Score:3, Funny)
Re:Hmmm (Score:2, Flamebait)
Already there: The Product and Technology Catalog. [microsoft.com] It even includes a demo if you use Opera to view it!
Re:Hmmm (Score:5, Funny)
Yeah, but the domain 'microsoft.com' is already taken.
Insert rimshot here...
Causes of mal-formed packets (Score:5, Informative)
Tim
Slashdot could be a good test-best for this (Score:1, Interesting)
Something to "Marvel" at... (Score:3, Funny)
More powerful than a triple Mocha,
Able to leap Full Towers in a single bound,
Look behind the window!
It's a boot disk!
No! It's a packet!
No! It's a...OOooo, shiney object!
Special packets (Score:1, Funny)
Re:Special packets (Score:1)
At the moment my firewall (iptables) logs and drops unwanted packets. I used it like this for about a couple of hours, looked at the log, then added an extra "don't log, just drop" rule specifically for NetBIOS...
Hardly surprising, since I'm on a LAN Internet connection full of poorly configured Windows Notworking hosts spamming each other (and potentially the entire Internet, since they use 255.255.255.255, although I suspect/hope my college filters NetBIOS out at the router...)
Re:Special packets (Score:2)
Hardly surprising, since I'm on a LAN Internet connection full of poorly configured Windows Notworking hosts spamming each other (and potentially the entire Internet, since they use 255.255.255.255, although I suspect/hope my college filters NetBIOS out at the router..
Well, RFC1812 specifies, that packages sent to the "limited broadcast address" (255.255.255.255) MUST NOT be forwarded by any router. Hence, unless your router(s) are seriously broken/misconfigured, the rest of the internet should be fairly safe
In general, RFC1812 is interresting reading, dictating how an IPv4-router should behave
iis worm attempts boring? (Score:1)
if only they used the netcraft service to check first before ruining your neat log files...
Re:iis worm attempts boring? (Score:2, Flamebait)
Recent exploits in wu_ftpd, sshd, telnetd, and bind did not force me to "upgrade" my linux server to Windows 2000 (it did force me to upgrade these packages...!). I know you're just joking, but security holes are not endemic to the Windows world. Sloppy coders are everywhere.
Moderators on crack (again) (Score:1)
Geek? (Score:2, Funny)
One thing is that I immediately think "IP" when I read "packets". But why did I have to misread "twisted paths" as "twisted pair"?
Awe-inspiring (Score:3, Funny)
What's next, a repository of images of free-form dust patterns from monitor screens?
Re:Awe-inspiring (Score:1)
Malformed? Hmm (Score:3, Funny)
OOps, wrong kind of packet.
Occam's Razor (Score:4, Funny)
Where is this museum located? (Score:1, Offtopic)
Re:Where is this museum located? (Score:2)
Maybe. Rumor is Hermie, the UDP packet who wants to be a Dentist, started it up to help him pay for dental school.
Slashback? (Score:2, Funny)
A real bit bucket (Score:5, Interesting)
My approach to logging was to log all packets that didn't advance the connection. This included not only rejected packets but duplicates, empty ACKs, and related junk. In the early days, I'd get only a few packets per day once I'd debugged the TCP implementation thoroughly. As more implementations appeared on the Internet, I'd get more junk packets, and would E-mail back the packet source telling them how their protocol stack was broken. In those days, everybody on the net was DoD funded, and the other implementations were typically from researchers. We became something of a validation site for TCP/IP.
Once Berkeley UNIX got a TCP/IP stack, the amount of logged junk increased substantially.
I'd see one or two packets per day that passed Ethernet CRC but failed TCP/IP checksums, even from the local net. Early Ethernet controllers were apparently subject to memory errors. Most other bad packets were associated with the beginning of a connection. But we'd sometimes see a large number of packets that didn't advance the connection, indicating broken retransmit timers.
So I probably had the first museum of bad packets.
Re:A real bit bucket (Score:2, Funny)
Argh, here he is.. the first net-cop!
The first net-cop? (Score:3, Interesting)
I'd send out e-mails like "your implementation is not compliant with MIL-STD
para
This was needed. There were too many implementations that wouldn't talk to anything other than themselves, or screwed up when bandwidth was tight, or had related bugs.
TCP/IP could have turned into an N-squared problem, where you needed a matrix of what could talk to what, or where implementations had to be aware of the bugs in other implementations.
We managed to avoid that.
There was a cultural problem. The idea that the protocol specification ruled, not the implementations, was painful to some implementors. That's standard procedure in aerospace, where specs across vendor boundaries are taken seriously, and I was at Ford Aerospace.
Most of the players, even the universities, were DoD-funded through DARPA, and DoD insists on compliance with standards, so eventually, everybody was beaten into compliance.
In the end, everything talked to everything else.
Re:A real bit bucket (Score:2)
Any Ethernet frame, valid or not, will have a correct CRC, unless there is a problem on your local LAN. Also, your router wouldn't look at TCP or TCP checksums, but it certainly shouldn't pass anything with an incorrect IP checksum.
It sounds like you may have been attributing some of these malformed packets to faulty TCP/IP stacks on the other end, when the problem was actually your LAN or gateway. Were you using experimental layer 2/3 equipment?
Re:A real bit bucket (Score:2)
Microsoft Patents the Broken Packet (Score:4, Funny)
Re:Microsoft Patents the Broken Packet (Score:1)
Re:Microsoft Patents the Broken Packet (Score:1)
Wabi-Sabi (Score:1, Offtopic)
--Exquisite Decay [utne.com]
Lost time (Score:1)
Broken packets? Slashdotting? (Score:3, Funny)
A paper on intrusion (Score:3, Interesting)
The paper basically had this idea that for every spoofed TCP packet, the receiptent will return a message, upon which the original sender would essentially say that it did not send the packet.
This paper made a statistical analysis of logging such packets over a fixed range of IP addresses, and then extrapolated from that result.
That way, one could get an idea of spoofed attacks being carried out. But the downside was that a lot of security programs themselves at times spoof IPs to mask their identity, so that could kind of alter the result by a reasonably high margin.
But I remember that it had a probability of a really high number of attacks being carried out under spoofed addresses. Pretty interesting read, although I do not seem to be able to locate where I had read it.
Re:A paper on intrusion (Score:2, Informative)
Re:A paper on intrusion (Score:1)
And this slide [caida.org] sums up the whole paper basically - it gives an overview of how the backscatter idea works.
If I remember correctly, there was also a follow up to this paper on ACM regarding some statistical survey of existing DoS attacks and the ones mentioned in this paper.
And moderators - pls mod up the parent to this post, that is a useful link (just in case - http://www.caida.org/outreach/papers/backscatter/
Re:Speaking of... (Score:1)
Recent Microsoft OS sending random packets after 10 minutes' inactivity? Worrying...
I assume you're not running Seti@home or anything? Or spyware (software which spies on you/your Internet connection; basically any free Windows download manager or accelerator, and anything with built-in ads)?
Try downloading ZoneAlarm (http://www.zonelabs.com [zonelabs.com]) and setting it to be as paranoid as possible. It tells you when stuff tries to access your LAN or the Internet (including which program it was, although some spyware uses Internet Explorer embedding to disguise its Internet use as coming from IE)
If that fails, you could install a packet filter on your Mac (I assume OS X must have some equivalent of Linux's ipchains and iptables?) and see where the packets are going...
IIS Worm Hits Suck (Score:1)
I've been grepping and gwaking more IPs to deny than I can count.
Reason: Your Computer, Server, or ISP is in need of a worm update. Get to it you Lazy Excuse for an Admin.
It has helped reduce the monthly count, but there's always sombody new. I think by now these worms should have been terminated, and those who are still passing it (Under Rock Livers) should be punished. If I only had the bandwidth to DOS 'em all down (Bad Toad, No Cookie).
Sombody out there has to be doing something more vendictive than mails and denys, I just want to hear about it. Really, just Hear.
Re:IIS Worm Hits Suck (Score:2)
Not sure if this is what you're looking for, but it may help. Stick this in the httpd.conf of your mod_perl enabled Apache server: # Nimda: Block incomming requests. { package Apache::Vermicide; use Apache::Constants qw(:common :response);
sub handler {
my $r = shift;
if ($r->uri() =~ /root\.exe|cmd\.exe|default\.ida/i) {
$r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST });
return BAD_REQUEST;
}
return DECLINED;
}
}
PerlPostReadRequestHandler Apache::Vermicide
Well... (Score:2)
Why not the new TLD? (Score:1)
Orphan packets (Score:2)
This could be very useful (Score:3, Interesting)
For example, where I work we are writing software for routing, PPP, PPPoE, RIP, OSPF, and so on with all sorts of encapsulations. In an early field test we discovered a lot of cases where our PPP stack would fall over but we couldn't reproduce the problems with our lab equipment. Since then we wrote a bunch of test tools to purposely corrupt packets in any way imaginable to test our software.
BTW, does anyone know of a good site displaying various exploit packets? My firwall seems to catch a lot of them (I'm on a broadband connection).
Re:This could be very useful (Score:1)
While this isn't a pretty-pictures way of doing it, they do contain a lot of signatures for suspicious packets. Be ready for information in this kind of format:
alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flags: A+; content:"Girl"; reference:arachnids,98; sid:145; classtype:misc-activity; rev:3;)
Which means a tcp segment from an outside machine on port 80, to an inside machine on port 21554 with the text content "Girl" might be an attempt to access the "Girlfriend" trojan horse.
Better yet, why not install and run snort on a low-end box and let it identify the wacky ones for you. I run one on a console only OpenBSD box with a p-90 and it monitors a T1 just fine. Another runs on a 486-120 under console-only linux.
There is even a Window$ version for those that prefer that platform.
Reason for Exhibit one (Score:3, Interesting)
Re:Reason for Exhibit one (Score:2)
Re:Reason for Exhibit one (Score:2)
Re:Reason for Exhibit one (Score:1)
Why. (Score:2)
Second.. we're talking about the switching tables on the switch, not the arp cache (arp cache is the wrong word probably in this case). A switch keeps track of which mac address is on which port. These things time out after a while. So when a switch gets a packet with a destination mac address it doesn't recognize.. it HAS to broadcast it to all ports.
BTW, standard learning bridges work the same way.
To respond.. (Score:2)
As for having a switch do arp requests in proxy-like fashion.. that's not the purpose of the switch. As for why it's 'not too wise' I don't understand.. ti's *exactly* what switches were designed to do... the purpose of a switch is to increase network performance (compared to a hub) by a best-effort attempt to put traffic only where it needs to be, without actually changing the behavior of the network itself.
As for a switch sending out an arp request... that in and of itself would be a broadcast packet to everywhere.... besides, as soon as the switch sees traffic from the 'unknown' host it'll populate it's switch table and start working 'normally' again.
heh (Score:2)
Wow, I don't think I would've even payed attention to most of those. I guess I don't know enough about TCP, etc, to recognize subtle stuff.
Though I do know enough (or not enough) to wonder about stuff like this:
At least it looks weird to me (ICMP type 65535?) Anybody know what that's about? I just noticed it recently when it went to 212.15.64.41 which is where some linux worm phones home, but it pops up every now and then to other hosts too.Probably a simple explanation but while all the network geeks are in the room I figured I'd ask...
Re:heh (Score:2)
Check your logs, there should be more of these fragments before this one. The first will have more useful information.
Go here [logi.cc] to analyze ipchains log output.
Example 1 (Score:2)
Cabletron had, at one point, a philosophy of "switch centric" networks. Even when layer 3 capabilities were built in so that the switches could, after a fashion, act like a router with respect to limiting broadcast traffic, it wouldn't be out of the question that some of the older equipment might still broadcast unicast packets under these conditions. These swtiches were often referred to by local staff as "routers", on the theory of walks-like-duck-quacks-like-duck.
I don't have a lot of experience with Cabletron stuff, but later stuff I've encountered uses standard VLAN techniques and could absolutely be configured to act like a router if that was what was desired. A temporarily misconfigured VLAN could cause this kind of unwanted packet -- for example if you attach a host, repeater or non-vlan switch to a trunk port of a VLAN switch. In that case you might receive broadcast traffic to any of the networks trunked by the port and unicasts to unlearned MACs. The whole point of VLAN is to physically uncouple cable segments to logical networks and to implement customizations to network topologies in software.
OK, OK I confess already! (Score:2)
Alright, it was me that has been doing this.
I had figured that chaining together rand48() with libpcap to generate random packets was the first step in creating an artificial life form out of the Internet at large.
If you'd just not exposed me prematurely like this I soon would have been successful in my attempt to create this life form.
Re:The Prodigal Packet (Score:1)
Re:Huh? (Score:1)
You mean this story, already posted on slashdot [slashdot.org], right?
See .sig for further commentary.
Re:Huh? (Score:1)
Re:Huh? (Score:1)
Why yes, I am bitter about it. Thanks for asking. I finally felt like I had a story worth contributing to the masses.
Maybe it was rejected because it ran last week [slashdot.org].
Now you can be bitter AND embarrased.
Re:Huh? (Score:1)