|
Posted by Sebastian Gottschalk on December 10, 2006, 8:15 am
If you were Registered and logged in, you could reply and use other advanced thread options
MC wrote:
> Sebastian Gottschalk wrote:
>>> unlike what you would advise to not run anything (see other thread),
>>
>> "unlike"? You seem to be implying that something would be wrong with not
>> running bullshit software.
>
> Yes... unlike.. you stated very clearly that you advise people to not
> run anything at all, which is still a bad idea.
Why do you think so? Any arguments?
>>> so he noticed this
>> One doesn't need any packet filter to do so.
> Not running anything surely doesn't have anyone notice ANY access that
> might be unwanted.
Idiot. What's the 'netstat' tool that ships with every Unix and even
Windows OS?
> But since you prefer to have every end user system
> completely exposed to the Internet,
Bullshit. An end user system shouldn't be exposed at all. But you're just
twisting terms again.
>>> and can investigate the potentially malicious access ;-)
>> There's nothing to investigate.
> I don't know about Kerio, I discarded it myself since it took too much
> cpu for nothing, but I doubt a piece of software makes up random access
> warnings, especally if they intend to remain in business for a while.
Very very wrong. The user expects a lot of warnings, even so he doesn't
understand them - after all, if there weren't any warnings, then the
security software work, right? And the more intrigous the warnings are
(claiming every simple misrouted packet as a very dangerous hacking
attempt), the better the user feels that the software does a good job.
And no, Kerio didn't remain in business. The dropped the software for the
sake of their lousy routing software, and sold the name to another company.
> BTW: I don't think the IANA is running hosts for Akamai
Sorry, I'm usually assuming typos on seeing such unusual IP ranges.
|
|
Posted by Dubious Dude on December 10, 2006, 2:29 pm
If you were Registered and logged in, you could reply and use other advanced thread options
MC wrote:
> Sebastian Gottschalk wrote:
>>> unlike what you would advise to not run anything (see other thread),
>> "unlike"? You seem to be implying that something would be wrong with not
>> running bullshit software.
>
> Yes... unlike.. you stated very clearly that you advise people to not
> run anything at all, which is still a bad idea.
>
>>> so he noticed this
>> One doesn't need any packet filter to do so.
> Not running anything surely doesn't have anyone notice ANY access that
> might be unwanted. But since you prefer to have every end user system
> completely exposed to the Internet, contrary the advise from just about
> anyone in the business of providing Internet Services, I guess I'm
> talking to a wall here ;-)
>
>>> and can investigate the potentially malicious access ;-)
>> There's nothing to investigate.
> I don't know about Kerio, I discarded it myself since it took too much
> cpu for nothing, but I doubt a piece of software makes up random access
> warnings, especally if they intend to remain in business for a while.
>
> BTW: I don't think the IANA is running hosts for Akamai
Thanks, MC, for some balanced feedback.
|
|
Posted by Moe Trin on December 9, 2006, 1:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>When I booted up, Kerio warns me that "Generic Host Process for Win32
>Services" from my computer wants to connect to 198.18.1.1:80. The
>application is c:\winnt\system32\svchost.exe. According to
>DNSstuff.com, this is Internet Assigned Numbers Authority (IANA) in
>Marina del Rey, CA.
Sigh... mis-leading information from DNSstuff.com. Read RFC2544 and
RFC3330. Use a packet sniffer to find which of your LOCAL computers is
using 198.18.1.1. That address is not routable over the Internet.
The address "belongs" to IANA as much as 127.0.0.1 does.
Old guy
|
|
Posted by Dubious Dude on December 13, 2006, 1:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
> On Sat, 09 Dec 2006, in the Usenet newsgroup comp.security.misc, in
article
>
>> When I booted up, Kerio warns me that "Generic Host Process for Win32
>> Services" from my computer wants to connect to 198.18.1.1:80. The
>> application is c:\winnt\system32\svchost.exe. According to
>> DNSstuff.com, this is Internet Assigned Numbers Authority (IANA) in
>> Marina del Rey, CA.
>
> Sigh... mis-leading information from DNSstuff.com. Read RFC2544 and
> RFC3330. Use a packet sniffer to find which of your LOCAL computers is
> using 198.18.1.1. That address is not routable over the Internet.
> The address "belongs" to IANA as much as 127.0.0.1 does.
Moe,
Thank you for the pointer. I looked up the following:
1. RFC3330: http://www.rfc-zone.org/rfc3330.html
2. Classless Inter-Domain Routing:
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
3. RFC2544: http://www.rfc-zone.org/rfc2544.html
In case someone in my position (ie. not in IT) grouples this topic, #1
indicates that 198.18.0.0/15 is a block of addresses for benchmark
tests of network interconnect devices, documented in RFC2544.
The format of 198.18.0.0/15 needed some googling. #2 indicates that
each of the 4 decimal numbers 198.18.0.0 is a byte, and a 32-bit word
is formed by abutting the bytes as shown. Each byte starts with the
most significant bit on the left. The /15 indicates that the bits in
the 32-bit word beyond the leftmost 15 are variable, thus defining a
range of addresses.
#3 seems to show the relevance of the address in my original post:
C.2.2 Protocol Addresses
Two sets of addresses must be defined: first the addresses assigned
to the router ports, and second the address that are to be used in
the frames themselves and in the routing updates.
The network addresses 192.18.0.0 through 198.19.255.255 are have been
assigned to the BMWG by the IANA for this purpose. This assignment
was made to minimize the chance of conflict in case a testing device
were to be accidentally connected to part of the Internet. The
specific use of the addresses is detailed below.
C.2.2.1 Router port protocol addresses
Half of the ports on a multi-port router are referred to as "input"
ports and the other half as "output" ports even though some of the
tests use all ports both as input and output. A contiguous series of
IP Class C network addresses from 198.18.1.0 to 198.18.64.0 have been
assigned for use on the "input" ports. A second series from
198.19.1.0 to 198.19.64.0 have been assigned for use on the "output"
ports. In all cases the router port is node 1 on the appropriate
network. For example, a two port DUT would have an IP address of
198.18.1.1 on one port and 198.19.1.1 on the other port.
Some of the tests described in the methodology memo make use of an
SNMP management connection to the DUT. The management access address
for the DUT is assumed to be the first of the "input" ports
(198.18.1.1).
I assume that the ports being referred to are those of the
router/modem.
|
|
Posted by Moe Trin on December 13, 2006, 3:02 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Thank you for the pointer. I looked up the following:
>
> 1. RFC3330: http://www.rfc-zone.org/rfc3330.html
RFCs can be found in hundreds of mirror sites on the Internet. I no
longer bother to point to specific sources for that reason. Any search
engine will find them.
Web Results 1 - 10 of about 15,300 for RFC3330. (0.14 seconds)
Web Results 1 - 10 of about 73,700 for RFC 3330. (0.13 seconds
> 2. Classless Inter-Domain Routing:
> http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
While the wikipedia is often a very good source of information, please
remember that it is not authoritative and _may_ contain incomplete or
misleading information. Again, the source would be
1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and
Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. Varadhan. September
1993. (Format: TXT=59998 bytes) (Obsoletes RFC1338) (Obsoleted by
RFC4632) (Status: PROPOSED STANDARD)
4632 Classless Inter-domain Routing (CIDR): The Internet Address
Assignment and Aggregation Plan. V. Fuller, T. Li. August 2006.
(Format: TXT=66944 bytes) (Obsoletes RFC1519) (Also BCP0122) (Status:
BEST CURRENT PRACTICE)
>The format of 198.18.0.0/15 needed some googling. #2 indicates that
>each of the 4 decimal numbers 198.18.0.0 is a byte, and a 32-bit word
>is formed by abutting the bytes as shown. Each byte starts with the
>most significant bit on the left. The /15 indicates that the bits in
>the 32-bit word beyond the leftmost 15 are variable, thus defining a
>range of addresses.
1878 Variable Length Subnet Table For IPv4. T. Pummill, B. Manning.
December 1995. (Format: TXT=19414 bytes) (Obsoletes RFC1860) (Status:
HISTORIC)
>#3 seems to show the relevance of the address in my original post:
Yes
> C.2.2.1 Router port protocol addresses
>
> Half of the ports on a multi-port router are referred to as "input"
> ports and the other half as "output" ports even though some of the
> tests use all ports both as input and output.
>I assume that the ports being referred to are those of the
>router/modem.
Yes - port (in this context) means 'interface', or connection point that
allows access to/from "a" network. We also call them "hoses" or "pipes",
as in "data comes in the 'comezinta' hose and goes out the 'gozouta' hose".
Your router/modem is connecting your computer/network on one port to
the ISP (and thence to the world) on a second port. Note that a port
may or may not _physically_ exist. An example of an imaginary port is the
loopback address (127.0.0.1) used by a computer when it is talking to
itself.
Old guy
|
| Similar Threads | Posted | | SSRT3622 rev.3 HP-UX Apache HTTP Server Denial of Service, unauthorized access. | July 5, 2004, 3:43 pm |
| Top 5 Reasons to Attend LISA '05 | November 17, 2005, 4:40 pm |
| Top 5 Reasons to Attend LISA '06 | November 1, 2006, 4:23 pm |
| Top 5 Reasons to Attend USENIX '07 | May 18, 2007, 4:50 pm |
| Top 5 Reasons to Attend USENIX '08 | May 19, 2008, 5:21 pm |
| LISA '07 - Latest News and Top 5 Reasons to Attend | September 24, 2007, 4:27 pm |
| A tool for mirroring HTTP stream | October 23, 2007, 5:15 am |
| Sending CMS SignedData via http - which Content-Type?? | March 22, 2005, 8:44 am |
| SSRT3534 rev.2 HP-UX Apache HTTP Server Denial of Service (DoS) | July 5, 2004, 3:39 pm |
| SSRT3587 rev.2 HP-UX Apache HTTP Server Denial of Service (DoS) | July 5, 2004, 3:41 pm |
|
XML site map