North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Napster.com moved to 64.124.41.0/24?
> Anyway, apart from the questionable practice of using these IPs for > access-lists, this information is useful for some of us in the > measurement community to write detectors that are less likely to get > false hits, such as might happen when counting Napster traffic based > solely on TCP port numbers. You might find the following paper interesting: Detecting Backdoors Yin Zhang (Cornell) & Vern Paxson (ACIRI) Proc. USENIX Security Symposium, August 2000 http://www.aciri.org/vern/papers/backdoor-sec00.ps.gz http://www.aciri.org/vern/papers/backdoor/index.html Along with security-oriented backdoors such as Telnet & SSH, we also developed backdoor detectors for Napster and Gnutella. We developed general detectors that run on reconstructed TCP streams (implemented in the Bro intrusion detection system) and also fast-cheap-and-definite-hack detectors that use just tcpdump filters. The tcpdump detector for Napster is: # look for "SEND" or "GET" in a # packet by itself (so payload of # 4 or 3 bytes, respectively) ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 4 and tcp[(tcp[12]>>2):4] = 0x53454e44) or ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 3 and tcp[(tcp[12]>>2):2] = 0x4745 and tcp[(tcp[12]>>2)+2]=0x54) and the one for Gnutella is: # look for "GNUTELLA " as first # 9 characters of payload tcp[(tcp[12]>>2):4] = 0x474e5554 and tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 and tcp[8+(tcp[12]>>2)] = 0x20 Another fun one to run (a total hack) is a root backdoor detector: # look for '# ' in a packet with # exactly 2 bytes of payload tcp[(tcp[12]>>2):2] = 0x2320 and (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) == 2 All of these work surprisingly well, and with kernel BPF can run at Gbps speeds. Vern
|