RE: traffic analysis wanted...
From: Burton M. Strauss III (bstrauss@acm.org)Date: 09/19/02
- Previous message: Kim Nielsen: "Re: BIG MAMA !!"
- In reply to: Peter Pfannenschmid: "traffic analysis wanted..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Burton M. Strauss III" <bstrauss@acm.org> To: <security-basics@securityfocus.com> Date: Thu, 19 Sep 2002 07:00:08 -0500
tcpdump puts the interface into promiscuous mode, meaning it sees and
processes all the packets on the wire, not just those addressed to the
interface.
I'll note that the packets are correctly being acked etc., meaning that
whomever they are addressed to is happily talking -- and thus unlikely to be
spoofed (ack 90K bytes into a session)...
You are assuming that your connection to the ISP is a point-to-point like
(not unshared). Depending upon how you are actually connected, that may be
incorrect. And, as long as you're getting your CIR (Committed Information
Rate), completely irrelevant.
I would
1) Do some whois searches on the mystery packets - perhaps that's the
address of the business next door?
2) Ask your ISP. Don't tell them they've misconfigured, take the tack of
the supplicant. "Gee Mr. ISP, I'm trying to setup an IDS and I've found all
these packets I didn't expect to see. Can you tell me how the connectivity
from our premises to your data center is setup? It is shared with other
customers?" etc. -- on the more flies with sugar concept.
-----Burton
-----Original Message-----
From: Peter Pfannenschmid [mailto:Peter.Pfannenschmid@t-online.de]
Sent: Tuesday, September 17, 2002 1:42 PM
To: security-basics@securityfocus.com
Subject: traffic analysis wanted...
G' Day,
not a complete newbie, but this one is not clear to me although I have
googled, grouped and read some documents about the TCP/IP protocol:
We have a server hosted by an ISP. The server has its own subnet
s1.s2.s3.s4/28 with multiple IP adresses. Since some days, there are
several thousand TCP/IP packets per day which hit our server; nor the
source IP address neither the destination IP address of these packets are
part of our server's subnet.
'tcpdump -n -vvv ip and not net 62.146.42.48/28' says for example:
19:15:45.830294 s1.s2.s5.s6.smtp > d1.d2.d3.d4.27975: . 173:173(0) ack
97523 win 62780 (DF) (ttl 64, id 3691)
s1.s2.s5.s6 and d1.d2.d3.d4 are not part of our s1.s2.s3.s4/28 subnet.
'tcpdump -en -vvv ip and not net 62.146.42.48/28' says for example:
19:04:04.352676 0:4:76:16:c8:1f Broadcast ip 1518: 62.146.28.150.http >
24.132.142.176.ampr-inter: . 1:1461(1460) ack 301 win 6432 (DF) (ttl 64, id
23341)
The question is: Why are these packets routed to our server / its subnet?
My conclusion is that our ISP has a misconfiguration on his routers.
The other possibility would be that the machine from which the traffic
originates (let's name this machine "host A") means our server to be a
gateway, i.e. host A is misconfigured or hacked. But a gateway has to be on
the same ethernet segment as its clients, hasn't it? So our server would
not be seen by host A directly. Since there are no other machines in our
/28 subnet, there must be a misconfiguration in our ISP's router.
Before our ISP telling to correct this, I would like to hear the opinions
of the experts. Is there any possible reason (besides misconfiguration of
our ISP's router and besides spoofing and hacking) which could lead to the
situation that our server (which sits alone in his /28 subnet) receives
packets with destination IPs outside his subnet?
Thank you very much,
Peter
- Previous message: Kim Nielsen: "Re: BIG MAMA !!"
- In reply to: Peter Pfannenschmid: "traffic analysis wanted..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
