TCP does not support broadcast traffic. I agree with Chris - this traffic is
undefined garbage. Now it may be that it is malicious and targetting some kind
of broken stack, but that seems unlikely. I have to admit that I don't have
any useful suggestions for explaining why he is seeing it on his network, but
there is no reason to squabble over what to call it. All real "announcement"
traffic as you call it must use UDP to do so (or have a list of specific hosts
to make TCP connections to).
j
-----Original Message-----
From: Dimitris Chontzopoulos [mailto:dchontzo AT ABC DOT GR]
Sent: 26 June 2003 13:54
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] A little off Topic - Unknown Port
So, if its not "Broadcast" what is it then? I pressume it is "Broken
Traffic". But it might also be an "Announcement". You know, like NetOp
Remote Control if you don't check the "Diasable Local Subnet
Broadcasting" option (6502 TCP/UDP), or maybe "Broadcast SNTP every..."
in a very popular Time Server program(7 UDP), or even Compaq Insight
Manager using TCP 2301 to "Announce" its presence, or even Symantec NAV
Corporate Edition and McAfee e-Policy Orchestrator, not to mention HP
JetDirect TCP 9100.
So, if it is a matter of terminology, then probably it should be
"Announcement" instead of "Broadcast", or even "Broken Traffic". I don't
think that we should argue on the type of traffic (Broadcast, Multicast,
Broken Traffic, Announcement or whatever). I on the other hand, think
that it may actually be "Announcement" instead of "Broken Traffic". You
just "can't be too carefull after all". So, if it is an "Announcement"
(which is my best bet) it may be for a Trojan or something "Announcing"
its presence on the Network, or even some stupid installed Server
application trying to "Announce" its presence on the network, why not?
The thing is that "you can't be too carefull". What I am trying to do? I
am merely trying to find out what exactly this kind of traffic really is
in order to reduce the possibility of actually having a Trojan on the
Server. If I get to know what this thing really is, I will be able to
track it back to its source and get rid of it. After I'm done with that,
I'll be able to never let it happen again (I hope).
An Anti-Virus Scan, as well as scans from 3 different programs able to
detect Trojans/Ad-goodies and the like, showed absolutely nothing. The
Server is also listening (how obvious) on the particular port (TCP
60001) but when I try to connect using Telnet nothing happens (how
obvious again). When I figure out what is going on, I'll let you know.
Cheers,
Dimitris
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of La
Coursiere, Jeff
Sent: Thursday, June 26, 2003 1:07 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] A little off Topic - Unknown Port
Not with TCP.
j
-----Original Message-----
From: Ralf Guenthner [mailto:gue AT ALPHATEL DOT DE]
Sent: 26 June 2003 10:31
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] A little off Topic - Unknown Port
I may be mistaken, but I know for a fact that lots of programs make
their
presence on a network known by advertising their port-number with
packets
directed at 255.255.255.255
Norton Antivirus Corporate comes to mind in example. This behavior is
not
called broadcasting??
Regards
Ralf G.
----- Original Message -----
From: "Crist Clark" <crist.clark AT GLOBALSTAR DOT COM>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Thursday, June 26, 2003 1:17 AM
Subject: Re: [FW-1] A little off Topic - Unknown Port
> Mitchell Rowton wrote:
> >
> > It seemed like the original post was pointing out what you are
saying
> > now. "This is strange traffic, anybody know about it?" I think the
> > odds are its not malicious traffic (as you said) but its still
broken.
> > There are some malicious programs that use port 60001 and some OS's
> > that accepts TCP Broadcast (BSD.)
>
> That it ever did was a bug. I fixed it in FreeBSD, and it's been fixed
in
> the other most popular BSD variants,
>
> http://www.securityfocus.com/archive/1/262733
> http://www.securityfocus.com/bid/4309
>
> --
> Crist J. Clark
crist.clark AT globalstar DOT com
> Globalstar Communications (408)
933-4387
>
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above.
> If the reader of this e-mail is not the intended recipient, or the
> employee or agent responsible to deliver it to the intended recipient,
> you are hereby notified that any review, dissemination, distribution
or
> copying of this communication is strictly prohibited. If you have
> received this e-mail in error, please contact
postmaster AT globalstar DOT com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
