Slashdot Mirror
Museum Of Broken Packets
hobbicik writes: "Quote from the page: 'The purpose of this museum is to provide a shelter for strange, unwanted, malformed packets - abandoned and doomed freaks of nature - as we, mere mortals, meet them on twisted paths of our grand journey called life.'" Interesting and amusing idea. Most of the wasted packets I get are IIS worm attempts -- not nearly as interesting.
Well, there are stranger "museums" out there. At least it's not a museum of modern art.
Be sure to include this tragically lost packet.
"This packet arrived from www.law10.hotmail.com, one of web servers handling Hotmail traffic... But unlike standalone traceroute packets, this legitimate traffic will be forwarded thru most of stateful firewalls, allowing you to obtain a valuable information about their internal network structure, distance and such - and all this with virtually no possibility to be detected. Well done - this covert packet looked so innocent... "
Inconceivable!
...my boss would consider packets all of the packets routed to slashdot by me when I was meant to be working as "strange, unwanted and malformed". ;)
Taffyd.
Surely we now need a `Museum of shoddy half-assed software which passes junk as validly formed data`?
Tim
Faster than a speeding packet,
More powerful than a triple Mocha,
Able to leap Full Towers in a single bound,
Look behind the window!
It's a boot disk!
No! It's a packet!
No! It's a...OOooo, shiney object!
If it is not on fire, it is a software problem.
One thing is that I immediately think "IP" when I read "packets". But why did I have to misread "twisted paths" as "twisted pair"?
One cannot comprehend the mind-boggling amounts of spare time required to devote part of one's life to this.
What's next, a repository of images of free-form dust patterns from monitor screens?
Ignorance is the root of all evil.
Nowadays you get a malformed packet, and they'll call the FBI thinking there's anthrax in it.
OOps, wrong kind of packet.
means that it's the packet capture utility that's hosed, not the packets. :)
Anybody else thought this would be a sequel to this?
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
My approach to logging was to log all packets that didn't advance the connection. This included not only rejected packets but duplicates, empty ACKs, and related junk. In the early days, I'd get only a few packets per day once I'd debugged the TCP implementation thoroughly. As more implementations appeared on the Internet, I'd get more junk packets, and would E-mail back the packet source telling them how their protocol stack was broken. In those days, everybody on the net was DoD funded, and the other implementations were typically from researchers. We became something of a validation site for TCP/IP.
Once Berkeley UNIX got a TCP/IP stack, the amount of logged junk increased substantially.
I'd see one or two packets per day that passed Ethernet CRC but failed TCP/IP checksums, even from the local net. Early Ethernet controllers were apparently subject to memory errors. Most other bad packets were associated with the beginning of a connection. But we'd sometimes see a large number of packets that didn't advance the connection, indicating broken retransmit timers.
So I probably had the first museum of bad packets.
In a stunning move to corner one of the oldest markets in networking, Microsoft has patented the concept of a broken packet. Many router manufacturers may come under litigation if they do not pay the licensing fees.
I hope the Museum of Broken Packets can adequately catalog its own slashdotting.
Skiers and Riders -- http://www.snowjournal.com
There was this really interesting paper on intrusion that I had once read.
The paper basically had this idea that for every spoofed TCP packet, the receiptent will return a message, upon which the original sender would essentially say that it did not send the packet.
This paper made a statistical analysis of logging such packets over a fixed range of IP addresses, and then extrapolated from that result.
That way, one could get an idea of spoofed attacks being carried out. But the downside was that a lot of security programs themselves at times spoof IPs to mask their identity, so that could kind of alter the result by a reasonably high margin.
But I remember that it had a probability of a really high number of attacks being carried out under spoofed addresses. Pretty interesting read, although I do not seem to be able to locate where I had read it.
Is it, by any chance, on the Island of Misfit Toys?
Maybe. Rumor is Hermie, the UDP packet who wants to be a Dentist, started it up to help him pay for dental school.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
This isn't hard to foil at all. The "attacker" (hotmail in this case) can already trace up to your firewall, but not beyond it. This allows them to get the _incoming_ packets passed the firewall because they are part of an established connection, but the _outgoing_ packets will not be, they will be ICMP packets. Just block the outgoing TTL Exceeded packets (and while you are at it all ICMP except maybe ECHO) at your firewall.
It is as important to control what is leaving your network as what is coming in.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
Y'all DO know about tcptraceroute, right?
-- Cerebus
Not sure if this is what you're looking for, but it may help. Stick this in the httpd.conf of your mod_perl enabled Apache server: # Nimda: Block incomming requests. { package Apache::Vermicide; use Apache::Constants qw(:common :response);
sub handler {
my $r = shift;
if ($r->uri() =~ /root\.exe|cmd\.exe|default\.ida/i) {
$r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST });
return BAD_REQUEST;
}
return DECLINED;
}
}
PerlPostReadRequestHandler Apache::Vermicide
Wooden armaments to battle your imaginary foes!
Does anyone else expect that this collection will grow to include all of the orphaned packets, lost and all alone, that will appear when the server becomes slashdotted?
Not to nitpick or anything, but why would somebody do something like that?, yeah, I know boredom, attention, etc. But would it really matter if it was crafted wrong or became mutilated later?? The museum didn't specify they had to be "naturally occuring" mutations.
Where's my lobbyist? Right here.
Hey now,
Recent exploits in wu_ftpd, sshd, telnetd, and bind did not force me to "upgrade" my linux server to Windows 2000 (it did force me to upgrade these packages...!). I know you're just joking, but security holes are not endemic to the Windows world. Sloppy coders are everywhere.
A site like this could be very useful for those of us designing stacks and equipment.
For example, where I work we are writing software for routing, PPP, PPPoE, RIP, OSPF, and so on with all sorts of encapsulations. In an early field test we discovered a lot of cases where our PPP stack would fall over but we couldn't reproduce the problems with our lab equipment. Since then we wrote a bunch of test tools to purposely corrupt packets in any way imaginable to test our software.
BTW, does anyone know of a good site displaying various exploit packets? My firwall seems to catch a lot of them (I'm on a broadband connection).
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
Arp requests dude. They time out so when you move a computer it doesn't have problems connecting. The first packet sent out to an IP when an arp table entry on the switch isn't available gets sent to everyone. When the host replies, the switch uses that to update its cache. Fairly standard really. This isn't a problem if the host without an entry sends the first packet, but it happens. I'll post anything else I see as a reply to this...
SIG: HUP
Wow, I don't think I would've even payed attention to most of those. I guess I don't know enough about TCP, etc, to recognize subtle stuff.
Though I do know enough (or not enough) to wonder about stuff like this:
At least it looks weird to me (ICMP type 65535?) Anybody know what that's about? I just noticed it recently when it went to 212.15.64.41 which is where some linux worm phones home, but it pops up every now and then to other hosts too.Probably a simple explanation but while all the network geeks are in the room I figured I'd ask...
tcptraceroute works by sending syn packets with incremented TTL's to publicly available servers on port 80 (or other public port). This passes firewalls because they are configured to allow traffic to these servers (hence "publicly available")
Again, this will not work if your firewall drops the outbound ICMP packets. In the case of tcptraceroute you will eventually get an ACK back from the server, so you will know how many hops it behind the firewall, but no other information.
The hotmail trick is somewhat more insidious because it is used in the midst of a session the firewall will usually pass the traffic to a normally protected (even NAT'd) host.
Both are easily blocked with outbound filters.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
First fact: Switches are NOT security devices. They are designed to boost network performance, not to provide security from sniffers. There are ways to make most switches broadcast traffic like a hub.
Second.. we're talking about the switching tables on the switch, not the arp cache (arp cache is the wrong word probably in this case). A switch keeps track of which mac address is on which port. These things time out after a while. So when a switch gets a packet with a destination mac address it doesn't recognize.. it HAS to broadcast it to all ports.
BTW, standard learning bridges work the same way.
Example 1 is no particular mystery. The switch simply hasn't learned the MAC address of the intended destination. This could happen if the switch were newly rebooted, for example.
Cabletron had, at one point, a philosophy of "switch centric" networks. Even when layer 3 capabilities were built in so that the switches could, after a fashion, act like a router with respect to limiting broadcast traffic, it wouldn't be out of the question that some of the older equipment might still broadcast unicast packets under these conditions. These swtiches were often referred to by local staff as "routers", on the theory of walks-like-duck-quacks-like-duck.
I don't have a lot of experience with Cabletron stuff, but later stuff I've encountered uses standard VLAN techniques and could absolutely be configured to act like a router if that was what was desired. A temporarily misconfigured VLAN could cause this kind of unwanted packet -- for example if you attach a host, repeater or non-vlan switch to a trunk port of a VLAN switch. In that case you might receive broadcast traffic to any of the networks trunked by the port and unicasts to unlearned MACs. The whole point of VLAN is to physically uncouple cable segments to logical networks and to implement customizations to network topologies in software.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I'd send out e-mails like "your implementation is not compliant with MIL-STD
para
This was needed. There were too many implementations that wouldn't talk to anything other than themselves, or screwed up when bandwidth was tight, or had related bugs.
TCP/IP could have turned into an N-squared problem, where you needed a matrix of what could talk to what, or where implementations had to be aware of the bugs in other implementations.
We managed to avoid that.
There was a cultural problem. The idea that the protocol specification ruled, not the implementations, was painful to some implementors. That's standard procedure in aerospace, where specs across vendor boundaries are taken seriously, and I was at Ford Aerospace.
Most of the players, even the universities, were DoD-funded through DARPA, and DoD insists on compliance with standards, so eventually, everybody was beaten into compliance.
In the end, everything talked to everything else.
Alright, it was me that has been doing this.
I had figured that chaining together rand48() with libpcap to generate random packets was the first step in creating an artificial life form out of the Internet at large.
If you'd just not exposed me prematurely like this I soon would have been successful in my attempt to create this life form.
"Provided by the management for your protection."
Yes.. if we are talking about separate vlans, (conceptually, different networks separated by a router) then the switch IS misbehaving. But that also depends on exactly how the switch is configured.
As for having a switch do arp requests in proxy-like fashion.. that's not the purpose of the switch. As for why it's 'not too wise' I don't understand.. ti's *exactly* what switches were designed to do... the purpose of a switch is to increase network performance (compared to a hub) by a best-effort attempt to put traffic only where it needs to be, without actually changing the behavior of the network itself.
As for a switch sending out an arp request... that in and of itself would be a broadcast packet to everywhere.... besides, as soon as the switch sees traffic from the 'unknown' host it'll populate it's switch table and start working 'normally' again.
I refuse to waste even MORE of my bandwidth on this 'bandwidth hogging garbage' by responding to it.. so it all goes to /dev/null. The only time I will respond to something is if it is actually having a quantifiable detremental effect on my systems, and I think contacting anyone will resolve it.
Hardly surprising, since I'm on a LAN Internet connection full of poorly configured Windows Notworking hosts spamming each other (and potentially the entire Internet, since they use 255.255.255.255, although I suspect/hope my college filters NetBIOS out at the router..
Well, RFC1812 specifies, that packages sent to the "limited broadcast address" (255.255.255.255) MUST NOT be forwarded by any router. Hence, unless your router(s) are seriously broken/misconfigured, the rest of the internet should be fairly safe
In general, RFC1812 is interresting reading, dictating how an IPv4-router should behave
-- "Life is a bitch - and she hates me..."
The SYN packet is the first packet of a TCP session. It is the packet that the computer initiating the session sends to the server to initiate the conversation.
When the server recieves a packet with the SYN flag set it either replies with a SYN/ACK, at which point the client sends an ACK and the session is established.
The SYN traceroute will only work with host that are directly accessable from the outside and is useful for tracing to a publicly available server. The Hotmail trick is useful for tracing to non-publicly available clients.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian