[unisog] Inbound traffiic from Internet

De Carteret, Matthew Matthew.DeCarteret at upstream.originenergy.com.au
Wed Jun 14 22:50:52 GMT 2006


My suggestion would be look for http traffic coming back from a
connection with banner strings of SSH (I've used SSH via squid proxy)
and common connection replies for httptunnel and similar, also look for
HTTP CONNECT requests to non-SSL ports.  There are a few new streaming
sites out there becoming very popular. I see a lot of Pandora.com in my
squid and ISA logs. 

Matthew de Carteret
Network & Linux Administrator
Upstream - Origin Energy Australia


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Thursday, 15 June 2006 8:27 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Inbound traffiic from Internet

On Wed, 14 Jun 2006 15:08:13 CDT, Velasquez Venegas Jaime Omar said:

> Several captures at peak times of the problematic traffic lead me to
> conclude that it should be some way of streaming over http 

And this, my friends, is what happens when you firewall off a lot of
ports.  If
port 80 is the only port likely to make it out, it *will* get used for
non-HTTP
stuff as well.  Except that instead of just comparing 2 bytes in the
packet
header to tell what the packet is, now you need to do some really deep
packet
inspection. Also, now that everything has been squished onto 80 and 443,
it's
not as easy to use QoS and Packeteers and the like to shape the traffic.

In our collective zeal to micromanage and hypercontrol the traffic,
we've
essentially killed off some of our most useful tools to control it....




More information about the unisog mailing list