|
Posted by Moe Trin on November 15, 2005, 1:54 pm
If you were Registered and logged in, you could reply and use other advanced thread options
In the Usenet newsgroup comp.security.misc, in article
>I travel regularly to a country where I think some form of protocol
>level blocking of ssh (to a non standard port), PPTP and IPSec appears
>to be taking place. It appears to be dynamic, in that connections work,
>but within 24 hours, they stop working when traffic from the point
>outside the country seems to just be dropped. Similar connections to a
>point within the country work just fine.
I've heard of problems like that - mainly in three or four countries in
Asia. Nothing specific was ever mentioned, but a google search would turn
up several threads about it.
>How would I go about establishing how these protocols are being
>blocked?
SSH uses protocol 6 (TCP) - can you use other TCP services, such as web
browsing and FTP (normal _and_ secure versions), news, mail - to the same
host out of country? Port 10000/tcp? How about to other hosts in the same
/24? Same /16? Same domain? Same country? Same hemisphere?
>The goal is just to be able to work around the blocks because they are
>interfering with my ability manage the external servers when I am
>travelling on business within that country.
What O/S?
[compton ~]$ whatis hping2 nc ngrep nmap tcpdump tcptraceroute
hping2 (8) - send (almost) arbitrary TCP/IP packets to network hosts
nc (1) - TCP/IP swiss army knife
ngrep (8) - network grep
nmap (1) - Network exploration tool and security scanner
tcpdump (8) - dump traffic on a network
tcptraceroute (8) - A traceroute implementation using TCP packets
[compton ~]$
Notice, I'm not suggesting 'traceroute' or the b0rked imitation from
microsoft. They use packets other than TCP, and your problem is TCP, not
UDP or ICMP. ('nc' is 'netcat' in case you're not familiar with it.) A
few of these are available for most O/S - some only for a select few.
HOWEVER: "yawl" be careful, ya hear?" You don't need to look as if you
are engaged in espionage. I would be a bit careful using nmap.
>Right now, I'm just puzzled as to how they are detecting and blocking
>things like ssh to non standard ports. IPSec and PPTP I think I
>understand... just block GRE/ESP, etc. but ssh?
How much do you know about networking? Enough, obviously, to know to use
non-standard ports, but do you know what the traffic _looks_ like? Is
there anything "obvious" such as length of connection - rate of packet
transfer, size of packet transfer, and so on? Is the out-of-country
server a well known host, or is it some unknown dynamic address that
might be a three-letter-agency (from _any_ country)? You say you are
using a non standard port - is this a 'high' port ( > 1025), or a low
port not normally seen? Are you trying to connect from an IP that belongs
to an international business (that would have a demonstrated need to
connect to the destination), or is this some rinky-dink "ISP" giving out
dynamic addresses, and renting boxes to spammers on an hourly rate? You
could be showing up on the equivalent of a 'firewall log'. In other words,
are you being obvious? Or have you "attracted attention"?
Old guy
| 
XML site map