[31130] in North American Network Operators' Group
Re: Napster.com moved to 64.124.41.0/24?
daemon@ATHENA.MIT.EDU (vern@ee.lbl.gov)
Tue Sep 12 19:04:14 2000
Message-Id: <200009122301.e8CN1dA20560@daffy.ee.lbl.gov>
From: vern@ee.lbl.gov
To: plonka@doit.wisc.edu
Cc: nanog@merit.edu
Date: Tue, 12 Sep 2000 16:01:39 PDT
Errors-To: owner-nanog-outgoing@merit.edu
> Anyway, apart from the questionable practice of using these IPs for
> access-lists, this information is useful for some of us in the
> measurement community to write detectors that are less likely to get
> false hits, such as might happen when counting Napster traffic based
> solely on TCP port numbers.
You might find the following paper interesting:
Detecting Backdoors
Yin Zhang (Cornell) & Vern Paxson (ACIRI)
Proc. USENIX Security Symposium, August 2000
http://www.aciri.org/vern/papers/backdoor-sec00.ps.gz
http://www.aciri.org/vern/papers/backdoor/index.html
Along with security-oriented backdoors such as Telnet & SSH, we also
developed backdoor detectors for Napster and Gnutella. We developed
general detectors that run on reconstructed TCP streams (implemented in
the Bro intrusion detection system) and also fast-cheap-and-definite-hack
detectors that use just tcpdump filters.
The tcpdump detector for Napster is:
# look for "SEND" or "GET" in a
# packet by itself (so payload of
# 4 or 3 bytes, respectively)
((ip[2:2] - ((ip[0]&0x0f)<<2) -
(tcp[12]>>2)) = 4 and
tcp[(tcp[12]>>2):4] = 0x53454e44) or
((ip[2:2] - ((ip[0]&0x0f)<<2) -
(tcp[12]>>2)) = 3 and
tcp[(tcp[12]>>2):2] = 0x4745 and
tcp[(tcp[12]>>2)+2]=0x54)
and the one for Gnutella is:
# look for "GNUTELLA " as first
# 9 characters of payload
tcp[(tcp[12]>>2):4] = 0x474e5554 and
tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41
and tcp[8+(tcp[12]>>2)] = 0x20
Another fun one to run (a total hack) is a root backdoor detector:
# look for '# ' in a packet with
# exactly 2 bytes of payload
tcp[(tcp[12]>>2):2] = 0x2320 and
(ip[2:2] - ((ip[0]&0x0f)<<2) -
(tcp[12]>>2)) == 2
All of these work surprisingly well, and with kernel BPF can run at
Gbps speeds.
Vern
