[Dshield] Request for Information re: Linksys Router Logging and Dshield Submissions

John Holmblad jholmblad at aol.com
Fri Oct 17 02:48:14 GMT 2003


Mark,

you are absolutely right regarding potential  threats from the inside 
the firewall as a result of trojans, etc.

Interestingly, I am working with AOL right now on an anomaly that my 
Linksys router detected as having the signature of a "smurf" attack 
coming from my network headed toward the Internet. This anomaly started 
about two months ago. Until a few weeks ago ( when I rediscovered 
Netscape Navigator/Communicator after the disaster of V6.X and its 
useful "dovetailing" with the AOL email service) I have used the AOL 
"fat client" for email.  What seems to be happening is that the AOL "fat 
client" protocol is sending  ICMP echo request packets from the AOL 
server to my whichever PC I am using  which are embedded as data in the 
TCP connection that is set up between my computer and the AOL service. 
These ICMP echo request packets are addressed to the IP address served 
to  the virtual adapter that AOL sets up on my PC when the TCP 
connection to the AOL service is initiated. I can see the virtual 
adapter via the ipconfig command  and the additional routing table 
entries via the route command. Furthermore, when I check the source 
address taken from the embedded ICMP echo request packets, using 
visualtrace, I find that the IP addresses are from AOL's address space. 
I would add that although I have never really studied the AOL service 
protocol it is reasonable to assume it is some sort of encapsulating VPN 
like protocol since it seems to jam everything over one TCP session.

What happens next is where anomaly occurs. Somehow, these ICMP packets 
when they are turned around by  the AOL client software in my PC to 
become ICMP echo responses (for whatever reason), they do NOT go through 
the TCP encapsulation 100% of the time. Sometimes they get sent directly 
to the physical LAN adapter on my PC and bypass the virtual adapter and 
then they are "caught" by the Linksys router which  sometimes flags 
these packets as potential smurf attacks (even though the offending 
packets are echo response packets and not echo requests) and blocks 
them.  Further evidence of this occurring is provided by my Norton 
Firewall software which reports, for example, 2 ICMP echo requests 
coming in right on top of one another (first, I assume to the physical 
adapter and then to the virtual adapter), but only one ICMP echo 
response going out. Unfortunately the Firewall does not show me on which 
interface (virtual or physical) MAC address the packets came in on/went 
out on. I have sent Ethereal traces to AOL of TCP sessions which exhibit 
this behavior and they are no looking into the matter.

What makes me somewhat suspicious is that these ICMP echo request 
packets which are embedded in the TCP data stream all have a common 
signature of 64 bytes of 0xaa appended to the end of the TCP data field. 
I suspect that the use of ICMP echo requests/responses  may be 
legitimate and somehow associated with the AOL AIM IM service (buddy 
discovery?) but so far AOL has not given me any substantive feedback on 
this anomaly.  This problem occurs on Win XP Pro  (AOL 7.0,8.0, and 9.0) 
and W2K Advanced Server (AOL 7.0).  It  so happens that  of the three 
systems where I have Ethereal installed, (2 WXP Pro and 1 W2K AS), only 
2 of them (1 WXP Pro and the W2K AS system) show this problem. For that 
reason I have ruled out the Winpcap component of Ethereal as the culprit 
even though it remains a possibility. I have always believed that there 
is somehow a practical analogy between the Heisenberg Uncertainty 
Principle and the process of tracing (that is watching) what is going on 
on a network. It occurred to me that maybe by watching (or having the 
capability installed on my pc to watch, since in fact I first discovered 
this anomaly by a cursory examination of my Linksys logs before I 
started active watching via Ethereal) it might have triggered a timing 
related flaw (a perturbation shall we say)  in someone's (Microsoft's, 
AOL's, or whomever owns the IP for Winpcap) software


Best Regards,

 

John Holmblad

 

Televerage International

 

(H) 703 620 0672

(M) 703 407 2278

(F) 703 620 5388

 

www page:                      www.vtext.com/users/jholmblad

primary email address: jholmblad at aol.com

backup email address:  jholmblad at verizon.net

 

text email address:         jholmblad at vtext.com




More information about the list mailing list