Re: Some unusual network features

From: Mike Hoskins (mike@adept.org)
Date: Tue Jan 13 2004 - 18:46:34 EST

• Next message: Shashank Rai: "Re: Some unusual network features"
• Previous message: Don Parker: "Re: Auditing / Logging"
• In reply to: Paul Johnston: "Some unusual network features"
• Next in thread: Shashank Rai: "Re: Some unusual network features"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Paul Johnston wrote:
> I've come accross the following anomoloies while auditing a network, can
> anyone help explain what they are:

just a couple possibilities... but keeping an open mind is key. :)

> 1) Ports that "hang open" i.e. you can connect, send data ok, but the
> other end never sends any data and never closes the connection.

this could be a firewalled port not sending RSTs... this is
particularly bad behavior for things like mail servers which hang for
the full TCP timeout (varies from platform to platform and can be rather
long) before dropping requests for "common" things like ident. a
real-world example is a mail server sitting behind a Cisco PIX without
'service resetinbound' in the config.

> 2) HTTP ports that function normally when you issue some methods, but on
> other methods (including the imaginary method "SILLY") cause the
> connection to "hang open" like in (1).

perhaps a proxy with similar behavior as in 1 above. (sorry, i'm not a
big proxy guy.) often in place to stop things like the IIS WEBDAV
exploits. this is usually not as catastrophic since the hang only
occurs when requests for known "bad data" are made... i.e. HTTP methods
security policy disallows.

> 3) Ports where the TTL is different on the SYN reply to the rest of the
> connection. ipid's also imply that different hosts are handling the SYN
> and the rest of the connection.

possibly NAT. i.e. packets belonging to the initial TCP setup are given
a lower lifetime than those associated with established connections on
my BSD/IPFW boxes.

> I've got some theories, but I'm not sure how much I'm jumping to
> conclusions.

you could share your theories... our point out how mine are wrong. :)
  just trying to throw out some things off the top of my head.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Shashank Rai: "Re: Some unusual network features"
• Previous message: Don Parker: "Re: Auditing / Logging"
• In reply to: Paul Johnston: "Some unusual network features"
• Next in thread: Shashank Rai: "Re: Some unusual network features"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT