Re: Napster.com moved to 64.124.41.0/24?
Anyway, apart from the questionable practice of using these IPs for access-lists, this information is useful for some of us in the measurement community to write detectors that are less likely to get false hits, such as might happen when counting Napster traffic based solely on TCP port numbers.
You might find the following paper interesting: Detecting Backdoors Yin Zhang (Cornell) & Vern Paxson (ACIRI) Proc. USENIX Security Symposium, August 2000 http://www.aciri.org/vern/papers/backdoor-sec00.ps.gz http://www.aciri.org/vern/papers/backdoor/index.html Along with security-oriented backdoors such as Telnet & SSH, we also developed backdoor detectors for Napster and Gnutella. We developed general detectors that run on reconstructed TCP streams (implemented in the Bro intrusion detection system) and also fast-cheap-and-definite-hack detectors that use just tcpdump filters. The tcpdump detector for Napster is: # look for "SEND" or "GET" in a # packet by itself (so payload of # 4 or 3 bytes, respectively) ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 4 and tcp[(tcp[12]>>2):4] = 0x53454e44) or ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 3 and tcp[(tcp[12]>>2):2] = 0x4745 and tcp[(tcp[12]>>2)+2]=0x54) and the one for Gnutella is: # look for "GNUTELLA " as first # 9 characters of payload tcp[(tcp[12]>>2):4] = 0x474e5554 and tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 and tcp[8+(tcp[12]>>2)] = 0x20 Another fun one to run (a total hack) is a root backdoor detector: # look for '# ' in a packet with # exactly 2 bytes of payload tcp[(tcp[12]>>2):2] = 0x2320 and (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) == 2 All of these work surprisingly well, and with kernel BPF can run at Gbps speeds. Vern
participants (1)
-
vern@ee.lbl.gov