Slashdot Mirror
Museum Of Broken Packets
hobbicik writes: "Quote from the page: 'The purpose of this museum is to provide a shelter for strange, unwanted, malformed packets - abandoned and doomed freaks of nature - as we, mere mortals, meet them on twisted paths of our grand journey called life.'" Interesting and amusing idea. Most of the wasted packets I get are IIS worm attempts -- not nearly as interesting.
Well, there are stranger "museums" out there. At least it's not a museum of modern art.
"This packet arrived from www.law10.hotmail.com, one of web servers handling Hotmail traffic... But unlike standalone traceroute packets, this legitimate traffic will be forwarded thru most of stateful firewalls, allowing you to obtain a valuable information about their internal network structure, distance and such - and all this with virtually no possibility to be detected. Well done - this covert packet looked so innocent... "
Inconceivable!
...my boss would consider packets all of the packets routed to slashdot by me when I was meant to be working as "strange, unwanted and malformed". ;)
Taffyd.
Surely we now need a `Museum of shoddy half-assed software which passes junk as validly formed data`?
Tim
Faster than a speeding packet,
More powerful than a triple Mocha,
Able to leap Full Towers in a single bound,
Look behind the window!
It's a boot disk!
No! It's a packet!
No! It's a...OOooo, shiney object!
If it is not on fire, it is a software problem.
One cannot comprehend the mind-boggling amounts of spare time required to devote part of one's life to this.
What's next, a repository of images of free-form dust patterns from monitor screens?
Ignorance is the root of all evil.
Nowadays you get a malformed packet, and they'll call the FBI thinking there's anthrax in it.
OOps, wrong kind of packet.
means that it's the packet capture utility that's hosed, not the packets. :)
My approach to logging was to log all packets that didn't advance the connection. This included not only rejected packets but duplicates, empty ACKs, and related junk. In the early days, I'd get only a few packets per day once I'd debugged the TCP implementation thoroughly. As more implementations appeared on the Internet, I'd get more junk packets, and would E-mail back the packet source telling them how their protocol stack was broken. In those days, everybody on the net was DoD funded, and the other implementations were typically from researchers. We became something of a validation site for TCP/IP.
Once Berkeley UNIX got a TCP/IP stack, the amount of logged junk increased substantially.
I'd see one or two packets per day that passed Ethernet CRC but failed TCP/IP checksums, even from the local net. Early Ethernet controllers were apparently subject to memory errors. Most other bad packets were associated with the beginning of a connection. But we'd sometimes see a large number of packets that didn't advance the connection, indicating broken retransmit timers.
So I probably had the first museum of bad packets.
In a stunning move to corner one of the oldest markets in networking, Microsoft has patented the concept of a broken packet. Many router manufacturers may come under litigation if they do not pay the licensing fees.
I hope the Museum of Broken Packets can adequately catalog its own slashdotting.
Skiers and Riders -- http://www.snowjournal.com
There was this really interesting paper on intrusion that I had once read.
The paper basically had this idea that for every spoofed TCP packet, the receiptent will return a message, upon which the original sender would essentially say that it did not send the packet.
This paper made a statistical analysis of logging such packets over a fixed range of IP addresses, and then extrapolated from that result.
That way, one could get an idea of spoofed attacks being carried out. But the downside was that a lot of security programs themselves at times spoof IPs to mask their identity, so that could kind of alter the result by a reasonably high margin.
But I remember that it had a probability of a really high number of attacks being carried out under spoofed addresses. Pretty interesting read, although I do not seem to be able to locate where I had read it.
Y'all DO know about tcptraceroute, right?
-- Cerebus
A site like this could be very useful for those of us designing stacks and equipment.
For example, where I work we are writing software for routing, PPP, PPPoE, RIP, OSPF, and so on with all sorts of encapsulations. In an early field test we discovered a lot of cases where our PPP stack would fall over but we couldn't reproduce the problems with our lab equipment. Since then we wrote a bunch of test tools to purposely corrupt packets in any way imaginable to test our software.
BTW, does anyone know of a good site displaying various exploit packets? My firwall seems to catch a lot of them (I'm on a broadband connection).
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
Arp requests dude. They time out so when you move a computer it doesn't have problems connecting. The first packet sent out to an IP when an arp table entry on the switch isn't available gets sent to everyone. When the host replies, the switch uses that to update its cache. Fairly standard really. This isn't a problem if the host without an entry sends the first packet, but it happens. I'll post anything else I see as a reply to this...
SIG: HUP
tcptraceroute works by sending syn packets with incremented TTL's to publicly available servers on port 80 (or other public port). This passes firewalls because they are configured to allow traffic to these servers (hence "publicly available")
Again, this will not work if your firewall drops the outbound ICMP packets. In the case of tcptraceroute you will eventually get an ACK back from the server, so you will know how many hops it behind the firewall, but no other information.
The hotmail trick is somewhat more insidious because it is used in the midst of a session the firewall will usually pass the traffic to a normally protected (even NAT'd) host.
Both are easily blocked with outbound filters.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
I'd send out e-mails like "your implementation is not compliant with MIL-STD
para
This was needed. There were too many implementations that wouldn't talk to anything other than themselves, or screwed up when bandwidth was tight, or had related bugs.
TCP/IP could have turned into an N-squared problem, where you needed a matrix of what could talk to what, or where implementations had to be aware of the bugs in other implementations.
We managed to avoid that.
There was a cultural problem. The idea that the protocol specification ruled, not the implementations, was painful to some implementors. That's standard procedure in aerospace, where specs across vendor boundaries are taken seriously, and I was at Ford Aerospace.
Most of the players, even the universities, were DoD-funded through DARPA, and DoD insists on compliance with standards, so eventually, everybody was beaten into compliance.
In the end, everything talked to everything else.