%!PS-Adobe-2.0 %%Creator: dvips 5.490 Copyright 1986, 1992 Radical Eye Software %%Pages: 6 1 %%BoundingBox: 0 0 612 792 %%EndComments %DVIPSCommandLine: dvips -f %%BeginProcSet: tex.pro %! /TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N /X{S N} B /TR{translate}N /isls false N /vsize 11 72 mul N /@rigin{isls{[0 -1 1 0 0 0] concat}if 72 Resolution div 72 VResolution div neg scale isls{Resolution hsize -72 div mul 0 TR}if Resolution VResolution vsize -72 div 1 add mul TR matrix currentmatrix dup dup 4 get round 4 exch put dup dup 5 get round 5 exch put setmatrix}N /@landscape{/isls true N}B /@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B /FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{/nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N string /base X array /BitMaps X /BuildChar{ CharBuilder}N /Encoding IE N end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{/sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N /rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup /base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx 0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff .1 add]{ch-image}imagemask restore}B /D{/cc X dup type /stringtype ne{]}if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N} B /I{cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin 0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul add .99 lt{/FV}{/RV}ifelse load def pop}N /eop{SI restore showpage userdict /eop-hook known{eop-hook}if}N /@start{userdict /start-hook known{start-hook} if /VResolution X /Resolution X 1000 div /DVImag X /IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for 65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0 0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V{}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7 getinterval dup(Display)eq exch 0 4 getinterval (NeXT)eq or}{pop false}ifelse}{false}ifelse end{{gsave TR -.1 -.1 TR 1 1 scale rulex ruley false RMat{BDot}imagemask grestore}}{{gsave TR -.1 -.1 TR rulex ruley scale 1 1 false RMat{BDot}imagemask grestore}}ifelse B /FV{gsave transform round exch round exch itransform moveto rulex 0 rlineto 0 ruley neg rlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M}B /d{-3 M} B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{p 1 w}B /r{p 2 w} B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p a}B /bos{/SS save N}B /eos{SS restore}B end %%EndProcSet TeXDict begin 40258431 52099146 1000 300 300 @start /Fa 40 123 df45 DI49 DIII63 D65 DIIIII77 DI80 D82 DI86 DI97 D99 DII 103 DIII108 DIII114 DIII119 DIII E /Fb 53 125 df12 D39 DII45 DI48 DII57 DI65 D67 DIIII73 D75 D77 DI80 D82 DII IIII97 DI IIIIIII107 DIIIIIIIIIIII121 D124 D E /Fc 1 50 df49 D E /Fd 13 122 df46 D64 D97 DII101 D108 DI111 D115 DII121 D E /Fe 27 121 df38 D46 D65 DII69 D76 D84 D88 D97 DI100 DIIIII107 DIIIII114 DII 120 D E /Ff 1 4 df3 D E /Fg 1 50 df49 D E /Fh 42 121 df46 D48 DII52 DI55 D57 D66 DII72 DI77 DI80 DIIIII88 D97 DII IIIIII108 DII II114 DIII119 DI E /Fi 81 125 df11 DIII34 D37 DIIII44 DIIIIII II IIIIIII63 D65 DIIIIIIIIIIIIIII82 DIIIII89 D91 DII97 DIIII IIIIIIIIIIIIIIIIIIIIIII E /Fj 29 118 df49 DIIII65 D67 D73 D77 D79 DI82 DI97 D99 DIIII105 D 108 D110 DIIIIIII E /Fk 4 81 df67 D73 D77 D80 D E /Fl 29 122 df11 D44 DII65 D84 D97 DIIIIIIII107 DIIIII114 DIIIIIII E /Fm 7 117 df65 D97 DII114 DII E /Fn 1 4 df3 D E /Fo 20 119 df44 D46 D49 DII57 D65 DI77 D83 D101 D103 D105 D108 D 110 DI115 DIII E /Fp 14 118 df70 D73 D80 D97 D99 DII107 D110 DI114 DIII E end %%EndProlog %%BeginSetup %%Feature: *Resolution 300dpi TeXDict begin %%EndSetup %%Page: 1 1 0 bop 549 219 a Fp(P)n(ac)n(k)n(ets)22 b(F)-6 b(ound)21 b(on)g(an)h(In)n (ternet)773 340 y Fo(Stev)o(en)15 b(M.)g(Bello)o(vin)1179 322 y Fn(\003)802 437 y Fo(August)i(23,)f(1993)890 607 y Fm(Abstract)199 661 y Fl(As)10 b(part)g(of)f(our)i(securit)o(y)g(measures,)g(w)o(e)e(sp)q (end)i(a)f(fair)g(amoun)o(t)h(of)f(time)g(and)h(e\013ort)f(lo)q(oking)i(for)e (things)h(that)141 707 y(migh)o(t)k(otherwise)h(b)q(e)e(ignored.)23 b(Apart)14 b(from)g(assorted)h(attempted)g(p)q(enetrations,)i(w)o(e)d(ha)o(v) o(e)g(also)i(disco)o(v)o(ered)141 752 y(man)o(y)11 b(examples)g(of)f (anomalous)i(b)q(eha)o(vior.)18 b(These)10 b(range)h(from)f(excessiv)o(e)i Fk(ICMP)c Fl(messages)j(to)f(nominally-l)q(o)q(cal)141 798 y(broadcast)k(pac)o(k)o(ets)g(that)f(ha)o(v)o(e)h(reac)o(hed)g(us)f(from)g (around)h(the)f(w)o(orld.)37 952 y Fj(1)70 b(In)n(tro)r(duction)37 1043 y Fi(F)m(or)12 b(securit)o(y)h(reasons,)f(A)m(T&T's)g(connection)g(to)g (the)g(In)o(ternet)h(is)f(via)f(a)g(pair)h(of)f(application)f(gatew)o(a)o (ys[Che90)o(].)17 b(T)m(o)37 1093 y(main)o(tain)12 b(the)j(securit)o(y)h(of)e (the)h(gatew)o(a)o(ys,)f(w)o(e)h(monitor)d(them)i(for)g(attempted)g(in)o (trusions[Che92].)19 b(Recen)o(tly)m(,)14 b(w)o(e)37 1143 y(ha)o(v)o(e)h (also)f(started)i(lo)q(oking)d(for)h(more)g(in)o(v)o(en)o(tiv)o(e)g(p)q (enetration)h(attempts[Bel92b)o(].)20 b(W)m(e)14 b(ha)o(v)o(e)g(indeed)i (found)e(suc)o(h)37 1192 y(b)q(eha)o(vior.)k(While)13 b(lo)q(oking,)f (though,)h(w)o(e)h(noticed)h(a)e(surprising)h(amoun)o(t)e(of)i(other)g (anomalous)e(b)q(eha)o(vior,)h(pac)o(k)o(ets)37 1242 y(that)h(do)g(not)g(app) q(ear)g(to)g(indicate)g(an)f(attempted)h(break-in,)f(but)h(are)h(w)o(orth)o (y)e(of)h(atten)o(tion)f(nev)o(ertheless.)100 1292 y(W)m(e)18 b(are)h(curren)o(tly)h(running)f(three)h(t)o(yp)q(es)g(of)e(broad-sp)q (ectrum)h(monitors.)31 b(First,)20 b(a)f(w)o(orkstation)f(with)h(an)37 1342 y(Ethernet)14 b(con)o(troller)d(in)g(\\promiscuous)f(mo)q(de")g(lo)q (oks)h(for)g(pac)o(k)o(ets)h(not)f(destined)h(for)f(an)o(y)g(legal)f(mac)o (hine.)16 b(Second,)37 1392 y(w)o(e)f(run)g(\\pac)o(k)o(et)f(suc)o(k)o(ers")i (on)e(a)h(v)n(ariet)o(y)e(of)h(p)q(oten)o(tially-in)o(teresting)g(p)q(orts.) 20 b(Third,)14 b(w)o(e)h(ha)o(v)o(e)f(recen)o(tly)i(deplo)o(y)o(ed)37 1441 y(an)c Fh(ICMP)p Fi([P)o(os81)n(])f(monitor;)f(it)i(logs)e(most)h Fh(ICMP)g Fi(messages)g(receiv)o(ed)i(b)o(y)f(the)g(mac)o(hine.)k(Eac)o(h)c (of)f(these)i(has)e(detected)37 1491 y(o)q(dd)j(b)q(eha)o(vior.)j(Curren)o (tly)m(,)c(w)o(e)h(cannot)f(detect)i(attempts)e(to)g(connect)h(to)g(random)d Fh(TCP)i Fi(or)g Fh(UDP)g Fi(p)q(orts,)g(though)g(w)o(e)37 1541 y(are)i(con)o(templating)d(adding)h(that)h(abilit)o(y)m(.)37 1677 y Fj(2)70 b(Address)23 b(Space)g(Oddities)37 1767 y Fi(Our)14 b(setup)g(for)f(monitoring)e(address)j(space)g(prob)q(es)h(is)e(fairly)e(a)o (wkw)o(ard.)18 b(The)13 b(monitoring)e(mac)o(hine)g(is)j(lo)q(cated)f(in)37 1817 y(a)g(part)f(of)g(the)h(Murra)o(y)g(Hill)e(complex)g(far)h(remo)o(v)o (ed)g(from)f(the)i(liv)o(e)e(In)o(ternet)j(cable.)k(Accordingly)m(,)12 b(the)h(link)e(w)o(e)i(are)37 1867 y(using)f(includes)g(a)f(bridge,)g(whic)o (h)h(\014lters)g(out)f(some)g(pac)o(k)o(ets.)18 b(\(This)12 b(ma)o(y)d(b)q(e)j(just)g(as)g(w)o(ell,)e(as)i(it)f(reduces)j(the)e(load.\)) 37 1917 y(F)m(urthermore,)g(since)i(the)e(monitor)f(is)h(not)g(armored)f(the) i(w)o(a)o(y)f Fh(research.att.com)d Fi(is,)j(w)o(e)g(cannot)h(allo)o(w)d(it)i (to)g(talk)37 1967 y(to)17 b(the)h(In)o(ternet.)28 b(Accordingly)m(,)17 b(w)o(e)g(had)f(a)h(wire)g(cutter)h(in)o(tro)q(duce)g(itself)e(to)h(the)h (transmit)d(leads)i(on)g(the)g(drop)37 2017 y(cable.)h(But)c(this)f(created)h (a)f(problem)e(for)i(ARP)f(en)o(tries[Plu82]:)17 b(the)d(router)f(will)f(not) h(transmit)e(the)j(pac)o(k)o(ets)f(un)o(til)37 2066 y(it)j(has)f(a)g(v)n (alid)f(Ethernet)452 2051 y Fg(1)488 2066 y Fi(address,)j(and)e(the)h (monitoring)d(mac)o(hine)i(is)g(to)q(o)g(crippled)h(to)f(supply)h(one.)23 b(The)16 b(next)37 2116 y(ob)o(vious)f(c)o(hoice)h(is)f(to)g(ha)o(v)o(e)g Fh(research.att.com)d Fi(answ)o(er;)17 b(unfortunately)m(,)d(it)h(has)h(no)f (\\ra)o(w")f(driv)o(er)i(that)f(w)o(ould)37 2166 y(let)j(an)f(application)f (program)g(\014eld)i(ARP)f(requests.)31 b(W)m(e)17 b(resorted)i(to)e(p)q (opulating)g(its)g(k)o(ernel's)h(tables)g(as)f(b)q(est)37 2216 y(w)o(e)d(could;)f(unfortunately)m(,)g(these)i(tables)f(are)g(not)f(large)h (enough)f(to)h(p)q(ermit)e(complete)h(co)o(v)o(erage.)19 b(Our)14 b(selections,)37 2266 y(though)i(adequate)h(to)f(detect)i(securit)o(y)f (inciden)o(ts,)f(will)f(lik)o(ely)g(miss)g(attempts)g(to)h(reac)o(h)h(random) e(addresses.)26 b(In)37 2315 y(the)15 b(future,)f(w)o(e)g(hop)q(e)g(to)g(use) h(a)e(Plan)h(9)g(mac)o(hine[PPTT90)n(])f(to)h(act)g(as)g(our)g(ARP)g(agen)o (t.)p 37 2348 750 2 v 83 2375 a Ff(\003)101 2387 y Fe(A)m(T&T)g(Bell)d(Lab)q (oratories.)h Fd(smb@ulysse)o(s.a)o(tt.)o(com)84 2414 y Fc(1)101 2426 y Fe(Ethernet)e(is)h(a)g(registered)e(trademark)g(of)i(Xero)o(x)g(Corp)q (oration.)p 675 2554 600 1 v 164 2654 a Fi(Reprin)o(ted)k(from)d Fb(Computer)i(Communic)n(ations)i(R)n(eview)p Fi(,)d(July)g(1993,)g(V)m(ol.)f (23,)h(No.)g(3,)g(pp.)18 b(26{31.)965 2828 y(1)p eop %%Page: 2 2 1 bop 37 45 a Fa(2.1)56 b(Anomalous)18 b(Broadcasts)37 123 y Fi(None)k(of)e(this)g(w)o(as)h(necessary)i(to)d(detect)j(the)e(strangest)h (pac)o(k)o(ets)f(w)o(e)g(ha)o(v)o(e)g(seen:)33 b(those)21 b(addressed)i(to)d (host)37 173 y Fh(255.255.255.255)p Fi(,)12 b(the)k(IP)g(broadcast)g (address.)23 b(That)15 b(in)g(itself)g(w)o(ould)f(b)q(e)i(quite)g(ordinary)m (,)e(w)o(ere)i(they)g(lo)q(cally)37 223 y(generated.)k(They)13 b(w)o(ere)h(not.)k(On)c(at)f(least)g(three)i(o)q(ccasions,)e(w)o(e)h(ha)o(v)o (e)f(receiv)o(ed)h(broadcast)g(name)e(serv)o(er)j(pac)o(k)o(ets)37 273 y(from)10 b(other)j(companies;)d(more)h(recen)o(tly)m(,)h(w)o(e)g(receiv) o(ed)h(a)e(series)i(of)e(broadcasts)i(in)o(tended)f(for)f(an)h(lo)q(cal)e (application.)37 323 y(The)16 b(\014rst)g(instance)g(w)o(as)f(from)e(another) j(compan)o(y)e(connected)j(to)e(the)g(same)g(regional)f(net)o(w)o(ork)h(as)g (our)h(gatew)o(a)o(y;)37 372 y(the)f(other)f(three)i(in)o(v)o(olv)o(ed)c(tra) o(v)o(ersals)j(of)e(the)h(NSFnet)h(bac)o(kb)q(one)g(on)e(the)i(w)o(a)o(y)e (to)h(us.)100 423 y(W)m(e)g(cannot)i(explain)e(wh)o(y)h(suc)o(h)h(pac)o(k)o (ets)f(w)o(ould)g(reac)o(h)h(us.)22 b(If)14 b(router)i(bugs)f(p)q(ermit)g (suc)o(h)g(things)g(to)g(happ)q(en,)37 473 y(w)o(e)i(should)e(see)i(more)e (broadcast)i(pac)o(k)o(ets,)f(and)g(for)f(a)h(wider)g(range)g(of)f(p)q(orts.) 25 b(But)16 b(all)f(four)g(inciden)o(ts)i(in)o(v)o(olv)o(ed)37 523 y(sev)o(eral)d(pac)o(k)o(ets,)f(o)o(v)o(er)g(a)f(p)q(erio)q(d)h(ranging)f (from)f(min)o(utes)h(to)g(hours.)18 b(In)13 b(one)g(case)h(where)f(w)o(e)g(w) o(ere)h(able)e(to)h(con)o(tact)37 572 y(the)h(site's)f(administrator,)e(w)o (e)j(w)o(ere)g(told)e(that)h(their)g(primary)f(name)g(serv)o(er)i(had)f (crashed)h(ab)q(out)f(the)h(time)d(of)i(the)37 622 y(\014rst)h(burst)g(from)d (their)j(site.)k(No)13 b(theories)h(w)o(ere)g(prop)q(ounded)f(to)g(explain)g (another)g(broadcast)h(pac)o(k)o(et)f(from)e(them)37 672 y(sev)o(eral)k (hours)f(later.)100 723 y(Some)e(commercial)g(routers)j(can)f(b)q(e)g (con\014gured)h(to)e(forw)o(ard)h(suc)o(h)g(pac)o(k)o(ets,)h(if)e(destined)h (for)g(the)g(name)f(serv)o(er)37 773 y(or)g(selected)h(other)e(services.)20 b(But)12 b(the)h(paths)g(follo)o(w)o(ed,)d(in)i(at)g(least)g(t)o(w)o(o)g(of)f (the)i(cases,)h(w)o(ould)d(ha)o(v)o(e)h(in)o(v)o(olv)o(ed)f(other)37 822 y(t)o(yp)q(es)k(of)f(routers.)19 b(Other)c(suggested)g(causes)g(include)f (to)q(o)g(m)o(uc)o(h)f(blind)g(reliance)h(on)g(default)f(routes.)100 873 y(W)m(e)j(are)i(con)o(tin)o(uing)e(to)g(monitor)f(our)i(net)o(w)o(ork)g (for)g(suc)o(h)h(pac)o(k)o(ets.)28 b(Our)17 b(timestamps)e(are)i(sync)o (hronized)i(to)37 923 y(WWV,)13 b(in)h(case)h(an)o(y)o(one)e(else)i(has)f(an) o(y)f(logs)g(they)i(wish)f(to)f(matc)o(h)g(against)g(ours.)37 1044 y Fa(2.2)56 b(Non-Existen)n(t)17 b(Mac)n(hines)37 1122 y Fi(W)m(e)11 b(also)g(see)i(attempts)d(to)i(connect)g(to)f(o)q(dd)h (addresses)h(on)e(our)g(net)o(w)o(ork.)18 b(Some)10 b(of)g(these)j(are)f(v)o (ery)f(clearly)g(securit)o(y)37 1172 y(ev)o(en)o(ts)19 b(|)f(when)g(the)g (connections)h(requests)h(are)e(only)f(to)h(non-existen)o(t)h(mac)o(hines)d (nev)o(ertheless)21 b(listed)c(in)h(the)37 1221 y(Domain)10 b(Name)g(Serv)o(er)j(\(DNS\))f(database[Mo)q(c87)o(],)g(the)g(w)o(ord)f (\\random")f(do)q(es)i(not)g(apply)m(.)k(Similarly)l(,)9 b(systematic)37 1271 y(attempts)19 b(to)f(prob)q(e)h(the)g(en)o(tire)g(net)o(w)o(ork's)g (address)g(space)h(are)e(lik)o(ely)g(carried)h(out)f(with)g(hostile)g(in)o (ten)o(t.)32 b(But)37 1321 y(discoun)o(ting)15 b(those,)h(w)o(e)f(still)f (see)i(pac)o(k)o(ets)g(w)o(e)f(cannot)g(easily)g(explain,)f(pac)o(k)o(ets)h (destined)h(for)f(random)e(addresses)37 1371 y(of)h(ours.)100 1422 y(In)21 b(at)g(least)g(one)g(case,)j(the)d(cause)h(w)o(as)f(determined)g (to)g(b)q(e)h(rep)q(eated)h(corruption)e(of)f(the)i(sender's)h(DNS)37 1471 y(cac)o(he.)34 b(Someho)o(w,)18 b(a)g(particular)g(mac)o(hine)g(rep)q (eatedly)h(acquired)g(a)g(v)n(ariet)o(y)f(of)g(di\013eren)o(t)h(incorrect)h (addresses)37 1521 y(for)13 b Fh(research.att.com)o Fi(.)i(As)e(of)f(this)g (writing,)g(w)o(e)h(do)f(not)g(kno)o(w)g(where)i(these)g(addresses)h(are)e (coming)d(from.)16 b(The)37 1571 y(frequency)g(of)e(c)o(hange)h(is)f(high)g (enough)g(that)h(w)o(e)g(do)f(not)g(think)g(it)g(is)h(random)d(con)o (tamination)g(from)h(an)h(incorrect)37 1621 y(database;)g(they)g(w)o(ould)e (seem)i(to)f(b)q(e)h(generated)h(lo)q(cally)m(.)h(A)d(bac)o(kup)g(mac)o (hine,)f(running)h(the)h(same)f(hardw)o(are)h(and)37 1671 y(soft)o(w)o(are,)g (has)g(displa)o(y)o(ed)f(the)i(same)e(symptoms.)100 1721 y(W)m(e)g(ha)o(v)o (e)g(also)g(seen)i(n)o(umerous)e Fh(ftp)g Fi(requests)j(for)d(our)h(old)f (gatew)o(a)o(y)g(mac)o(hine,)f(whic)o(h)h(has)h(not)g(existed)g(for)g(at)37 1771 y(least)h(three)g(y)o(ears.)20 b(As)14 b(b)q(est)i(w)o(e)e(can)h(tell,)e (there)j(are)e(old)g(host)g(tables)h(b)q(eing)f(passed)h(around,)f(ev)o(en)g (to)g(new)h(sites.)37 1821 y(Most)e(of)e(these)j(requests)g(ha)o(v)o(e)d (come)h(from)e(non-U.S.)h(sites,)h(where)i(the)e(DNS)g(seems)g(to)g(b)q(e)h (used)f(less.)19 b(Giv)o(en)11 b(that,)37 1871 y(it)16 b(w)o(ould)f(seem)h (to)g(b)q(e)g(w)o(orth)o(while)g(to)f(re-adv)o(ertise)j(the)e(existence)i(of) d(the)i(standard)f Fh(hosts.txt)e Fi(\014le.)24 b(Y)m(es,)17 b(the)37 1921 y(DNS)d(is)g(m)o(uc)o(h)f(b)q(etter,)i(but)f(ev)o(en)g(a)g (static)g(host)g(table)g(is)g(b)q(etter)h(than)f(not)g(b)q(eing)g(able)g(to)f (comm)o(unicate)f(at)i(all.)37 2062 y Fj(3)70 b(Strange)23 b(Application)e(Requests)37 2155 y Fi(Some)13 b(strange)h(b)q(eha)o(vior)f(o) q(ccurs)i(at)e(the)h(application)e(la)o(y)o(er.)17 b(F)m(or)c(example,)f(w)o (e)h(ha)o(v)o(e)g(seen)i(a)e(n)o(um)o(b)q(er)g(of)f(requests)37 2205 y(to)18 b(connect)g(to)f(inexplicable)f(p)q(ort)i(n)o(um)o(b)q(ers.)27 b(W)m(e)17 b(kno)o(w)g(of)f(no)h(standard)h Fh(TCP)e Fi(daemons)g(that)i (listen)f(on)g(p)q(orts)37 2254 y Fh(2)p Fi(,)f Fh(42)p Fi(,)f Fh(70)p Fi(,)g(or)g Fh(525)p Fi(.)22 b(Nor)16 b(are)f(those)i(p)q(orts)f (listed)f(in)g(the)h(latest)g Fb(Assigne)n(d)h(Numb)n(ers)e Fi(RF)o(C[RP90)n(].)22 b(While)15 b(these)37 2304 y(particular)g(requests)h (app)q(eared)f(to)f(part)h(of)f(an)g(apparen)o(t)g(break-in)g(attempt,)g(it)g (is)g(unclear)h(to)f(us)g(wh)o(y)h(attac)o(k)o(ers)37 2354 y(should)f(b)q(other)h(probing)f(un)o(used)h(p)q(orts.)20 b(Conceiv)n(ably)m (,)12 b(these)k(are)e(standard)h(bac)o(k)f(do)q(ors)h(deplo)o(y)o(ed)f(and)g (used)h(b)o(y)37 2404 y(the)f(hac)o(k)o(er)g(comm)o(unit)o(y)c(\(and)j(do)q (cumen)o(ted,)g(no)g(doubt,)g(in)g(their)g(o)o(wn)g(RF)o(Cs)g(|)g (\\Resources)i(F)m(or)d(Crac)o(k)o(ers"\);)i(if)37 2454 y(so,)h(it)f(is)h (esp)q(ecially)g(unfortunate)g(that)g(most)f(systems)g(cannot)h(log)f (attempts)h(to)f(connect)i(to)f(un)o(used)g(p)q(orts.)22 b(W)m(e)37 2503 y(w)o(ere)16 b(luc)o(ky)f(to)g(notice)g(these)i(requests;)g(the)f(attac) o(k)o(er)f(tried)h(to)f(connect)h(to)f Fh(9net.att.com)p Fi(,)d(a)j(Plan)f(9) h(mac)o(hine,)37 2553 y(and)f(its)g(design)g(philosoph)o(y)f(made)g (detection)i(quite)e(easy)m(.)100 2604 y(On)k(a)f(n)o(um)o(b)q(er)f(of)h(o)q (ccasions,)i(w)o(e)e(ha)o(v)o(e)h(seen)g(attempts)f(to)h(connect)h(to)e(our)g (NNTP)h(p)q(ort[KL86].)25 b(Since)17 b(w)o(e)37 2654 y(do)e(not)g(run)g(NNTP) m(,)f(suc)o(h)h(requests)i(are)e(de\014nitely)g(out)f(of)h(line.)20 b(As)15 b(b)q(est)g(w)o(e)g(can)g(tell,)f(the)i(usual)e(motiv)n(ation)e(is)37 2704 y(a)j(desire)g(to)g(read)g(newgroups)g(disallo)o(w)o(ed)e(b)o(y)i(lo)q (cal)e(administrativ)o(e)g(p)q(olicy)m(.)19 b(Other)c(reasons)h(include)f(a)f (desire)i(to)p eop %%Page: 3 3 2 bop 37 45 a Fi(submit)12 b(forged)h(articles,)g(and)f(|)g(in)h(one)g (instance)g(|)f(a)h(purp)q(orted)h(desire)f(to)g(determine)g(whether)h(or)f (not)f(a)h(news)37 95 y(article)i(had)f(b)q(een)h(passed)g(on.)k(Certainly)m (,)13 b(there)i(ma)o(y)e(b)q(e)h(securit)o(y)h(\015a)o(ws)g(in)e(the)i (standard)g(NNTP)f(daemon.)k(W)m(e)37 145 y(ha)o(v)o(e)c(no)g(evidence)h(for) f(or)f(against)h(this)g(prop)q(osition.)100 195 y(On)21 b(sev)o(eral)g(o)q (ccasions,)h(our)f(RPC[Sun90)o(,)f(Sun88])g(monitors)f(ha)o(v)o(e)i(detected) h(attempts)f(to)f(send)i(\\)p Fh(wall)p Fi(")37 244 y(broadcast)14 b(messages)f(to)f(our)h(mac)o(hine.)k(On)c(at)f(least)h(one)g(o)q(ccasion,)g (the)g(request)i(came)d(from)f(a)h(site)i(in)e(German)o(y)m(.)37 294 y(In)o(v)o(estigation)i(of)g(the)i(co)q(de)f(for)g(the)g Fh(rwall)e Fi(command)f(sho)o(w)o(ed)j(that)g(if)f(an)g(en)o(try)i(in)e(the)h Fh(netgroup)e Fi(\014le)i(w)o(as)g(not)37 344 y(a)i(v)n(alid)d(host)j(name,)e (it)h(w)o(as)g(presumed)h(to)f(b)q(e)h(a)f(wild)g(card.)25 b(This)17 b(in)e(turn)i(caused)h(the)f(broadcast)g(message)f(to)37 394 y(b)q(e)g(sen)o(t)g(to)e(ev)o(ery)i(mac)o(hine)e(listed)g(in)h(the)g (host)g(\014le.)21 b(The)16 b(com)o(bination)c(of)i(this)h(prop)q(ert)o(y)h (of)e(the)i(co)q(de,)f(and)g(the)37 444 y(apparen)o(t)g(p)q(ersistence)h(of)e (host)g(tables,)f(can)i(cause)f(a)g(mind-b)q(oggling)c(n)o(um)o(b)q(er)k(of)f (messages)h(to)f(b)q(e)i(sen)o(t.)37 560 y Fa(3.1)56 b(Wild)18 b(and)h(Crazy)g(SNMP)g(Agen)n(ts)37 637 y Fi(The)13 b(most)e(am)o(using)e (application-lev)o(el)h(o)q(ddit)o(y)i(w)o(e)g(ha)o(v)o(e)g(seen)h(w)o(as)f (an)f(SNMP)i(message[CFSD90)n(])f(from)e(a)i(distan)o(t)37 687 y(univ)o(ersit)o(y)m(.)19 b(In)o(v)o(estigation)14 b(sho)o(w)o(ed)g(that) g(this)h(w)o(as)f(a)g(case)h(of)f(an)g(o)o(v)o(erly-helpful)f(net)o(w)o(ork)h (managemen)o(t)e(system.)37 737 y(Apparen)o(tly)m(,)20 b(sev)o(eral)g(suc)o (h)f(systems)h(ha)o(v)o(e)f(automatic)e(or)i(semi-automati)o(c)e(top)q(ology) g(disco)o(v)o(ery)j(mec)o(hanisms.)37 787 y(This)12 b(is)g(useful)g(|)g (creating)g(a)f(net)o(w)o(ork)i(map)d(is)i(hard)g(w)o(ork)f(for)h(an)o(y)f (en)o(tit)o(y)h(large)g(enough)g(to)g(need)g(a)g(managemen)o(t)37 836 y(system)i(|)f(but)h(suc)o(h)g(features)h(need)f(to)g(b)q(e)g(con)o (trolled.)k(In)o(ternet-wide)d(broadcasts)f(are)g(distressing)h(enough;)e (the)37 886 y(though)o(t)h(of)f(implemen)o(ting)e(them)i(b)o(y)h(stepping)g (through)g(the)g(en)o(tire)h(address)g(space)g(is)f(horrifying.)100 936 y(This)h(w)o(as)g(not)g(an)h(isolated)e(inciden)o(t.)23 b(W)m(e)15 b(describ)q(ed)i(what)e(happ)q(ened)i(in)e(the)h(RISKS)f (Digest[Bel92a)o(],)g(and)37 986 y(receiv)o(ed)j(sev)o(eral)f(rep)q(orts)g (of)f(similar)e(inciden)o(ts)i(elsewhere.)27 b(Indeed,)18 b(w)o(e)e(ha)o(v)o (e)g(had)g(runa)o(w)o(a)o(ys)g(b)q(other)h(us)g(since)37 1036 y(then,)e(including)d(once)j(from)d(the)j(con)o(trol)e(cen)o(ter)j(of)d(a)h (regional)f(net)o(w)o(orks.)37 1173 y Fj(4)70 b(ICMP)22 b(P)n(eculiaritie)o (s)37 1265 y Fi(A)17 b(recen)o(t)h(glance)e(at)h(the)g(output)f(of)g(the)h Fh(netstat)e Fi(command)f(sho)o(w)o(ed)j(sev)o(eral)g(p)q(eculiarities.)25 b(W)m(e)17 b(w)o(ere)g(seeing)37 1314 y(non-zero)g(coun)o(ters)g(for)e(\\bad) g(co)q(de)i(\014elds")f(and)f(for)h(\\routing)f(redirects".)25 b(The)16 b(latter)g(w)o(as)f(esp)q(ecially)h(strange,)37 1364 y(since)f(w)o(e)e(ha)o(v)o(e)h(only)e(one)i(router)h(on)e(that)g(net)o(w)o (ork.)18 b(Giv)o(en)13 b(the)h(o)q(ddities,)f(and)h(giv)o(en)f(the)h (theoretical)g(p)q(ossibilit)o(y)37 1414 y(of)d(an)g(attac)o(k)h(via)e Fh(ICMP)21 b(Redirect)p Fi([Bel89)n(])11 b(messages,)h(w)o(e)f(wrote)h(a)f (monitor)f(to)h(log)f(all)h Fh(ICMP)f Fi(messages.)17 b(As)12 b(usual,)37 1464 y(w)o(e)j(sa)o(w)e(more)g(than)h(w)o(e)g(w)o(ere)h(lo)q (oking)d(for.)100 1514 y(The)e Fh(Redirect)e Fi(messages)i(w)o(ere)g(a)g(bit) f(elusiv)o(e;)i(they)f(only)f(seemed)h(to)f(come)g(from)f(certain)i(sites.)18 b(W)m(e)9 b(ev)o(en)o(tually)37 1564 y(trapp)q(ed)18 b(a)d(burst)i(of)f (them.)24 b(Apparen)o(tly)m(,)16 b(a)g(dial-up)f(IP)h(serv)o(er)i(of)e(some)f (sort)i(will)d(emit)h(them,)h(p)q(ossibly)g(if)f(the)37 1613 y(remote)f(end)g(is)f(not)h(a)o(v)n(ailable.)i(The)e(messages)g(said,)e(in)i (e\013ect,)h(\\to)e(reac)o(h)h(host)g Fh(X)p Fi(,)f(use)i Fh(X)e Fi(as)h(the)g(gatew)o(a)o(y".)j(Suc)o(h)37 1663 y(a)h(message)g(is)g(clearly) g(erroneous)h(ev)o(en)g(if)e Fh(Redirect)p Fi(s)g(w)o(ere)i(legal)e(when)h (sen)o(t)h(from)e(other)h(than)g(the)h(\014rst-hop)37 1713 y(router.)g(Not)11 b(only)g(that,)h(the)g(connection)h(information)c (returned)k(w)o(as)f(erroneous,)h(with)e(constan)o(t)h(\(and)g(incorrect\))37 1763 y(v)n(alues)i(giv)o(en)g(for)g(the)g(lo)q(cal)f(and)h(remote)g(p)q(ort)g (n)o(um)o(b)q(ers,)g(and)g(ev)o(en)g(the)h(remote)f(host)g(n)o(um)o(b)q(er,)f (i.e.,)g(the)h(v)n(alue)g Fh(X)37 1813 y Fi(referred)k(to)e(ab)q(o)o(v)o(e.) 23 b(A)o(ttempts)15 b(to)h(trace)h(the)f(route)g(sho)o(w)o(ed)g(that)g(the)g (serv)o(er)i(w)o(as)d(indeed)i(confused;)g(a)e(routing)37 1862 y(lo)q(op)f(app)q(eared)g(as)g(w)o(ell,)f(though)h(that)g(ma)o(y)e(b)q(e)i (an)g(artifact)f(of)h(the)g Fh(traceroute)e Fi(program.)100 1912 y(W)m(e)17 b(ev)o(en)o(tually)h(learned)g(that)g(the)h(target)f(address) h(that)f(caused)h(the)g(trouble)f(is)g(in)f(realit)o(y)g(the)i(broadcast)37 1962 y(address)i(for)d(a)h(subnet.)34 b(This)19 b(explains)f(some)g(of)h (what)g(w)o(e)g(sa)o(w;)i(a)d(broadcast)i(storm)e(can)h(certainly)g(confuse) 37 2012 y(routers.)g(And)13 b(wh)o(y)f(w)o(ere)h(w)o(e)f(trying)g(to)g(send)h (messages)g(to)f(a)g(broadcast)h(address?)19 b(Because)14 b Fh(our)d Fi(DNS)h(cac)o(he)i(w)o(as)37 2062 y(corrupted;)h(it)f(listed)g(15)f (incorrect)i(addresses)h(\(and)e(2)g(correct)h(ones\))g(for)f(a)f(v)o(ery)h (p)q(opular)g(mail)d(rela)o(y)j(host.)100 2112 y(Our)h Fh(ICMP)e Fi(monitor)f(also)i(detected)i(the)f(source)h(of)d(at)h(least)h(some)e(of)h (the)h(\\bad)e(co)q(de)i(\014eld")f(messages.)20 b(Some)37 2161 y(routers,)c(including)d(a)i(few)f(that)h(app)q(ear)g(to)f(b)q(e)h(part) g(of)f(the)h(NSFnet)g(bac)o(kb)q(one,)g(emitted)e Fh(Source)21 b(Quench)13 b Fi(mes-)37 2211 y(sages)k(with)e(a)g(non-zero)i(co)q(de)f (\014eld.)24 b(This)15 b(app)q(ears)i(to)e(b)q(e)h(an)g(ancien)o(t)g(bug)f (that)h(w)o(as)f(part)h(of)f(early)h(releases)h(of)37 2261 y(4.3)p Fh(BSD)p Fi(.)10 b(Unfortunately)m(,)g(man)o(y)f(p)q(opular)i Fh(ICMP)f Fi(implemen)o(tations)e(will)i(ignore)h(messages)g(with)g(in)o(v)n (alid)e(co)q(de)i(\014elds,)37 2311 y(recen)o(t)k(RF)o(C's)e(not)o (withstanding[Bra89)o(].)k(Th)o(us,)d(at)f(the)h(precise)h(time)d(when)i(a)f (router)h(is)f(strapp)q(ed)i(for)e(resource,)37 2361 y(it)h(is)g(sending)g (useless)h Fh(Source)21 b(Quench)12 b Fi(messages.)37 2477 y Fa(4.1)56 b(Firew)n(all)18 b(Routers)37 2554 y Fi(Man)o(y)f(of)f(the)h Fh(Destination)j(Unreachable)14 b Fi(messages)j(w)o(e)g(receiv)o(ed)h(came)e (from)f(so-called)h(\\\014rew)o(all)g(routers".)37 2604 y(These)i(are)e (routers)h(with)f(v)o(ery)g(restrictiv)o(e)i(access)f(con)o(trol)f(lists;)h (their)f(purp)q(ose)h(is)f(to)g(protect)h(hosts)f(within)g(an)37 2654 y(organization,)f(m)o(uc)o(h)f(as)h(our)h(gatew)o(a)o(ys)f(do.)22 b(Unfortunately)m(,)15 b(the)h(precise)h(con\014guration)e(of)g(suc)o(h)h (gatew)o(a)o(ys)f(can)37 2704 y(and)f(do)q(es)h(cause)g(trouble.)p eop %%Page: 4 4 3 bop 100 45 a Fi(W)m(e)16 b(encoun)o(tered)j(problems)d(with)h(a)g(n)o(um)o (b)q(er)f(of)g(these)j(routers.)28 b(A)o(ttempts)17 b(to)g(send)h(mail)c(to)j (destinations)37 95 y(b)q(ey)o(ond)g(the)f(\014rew)o(all)f(generated)i(large) f(\015urries)g(of)f Fh(Host)21 b(Unreachable)14 b Fi(messages.)24 b(Analysis)15 b(sho)o(w)o(ed)h(that)g(the)37 145 y(problem)i(stemmed)f(from)g (the)j(desire)g(to)e(presen)o(t)j(a)d(di\013eren)o(t)i(face)f(to)g(the)g (inside)g(than)g(to)f(the)i(outside.)33 b(F)m(or)37 195 y(example,)14 b(DNS)h Fh(NS)g Fi(records)i(p)q(oin)o(ted)e(to)g(b)q(oth)g(the)h(in)o (ternal)f(serv)o(ers,)i(to)e(whic)o(h)g(access)i(w)o(as)e(blo)q(c)o(k)o(ed,)g (as)g(w)o(ell)f(as)37 244 y(to)h(the)h(p)q(ermitted)f(gatew)o(a)o(y)f(mac)o (hines.)21 b(F)m(or)14 b(whatev)o(er)i(reasons,)g(our)f(resolv)o(er)h(tended) g(to)f(mak)o(e)e(large)i(n)o(um)o(b)q(ers)37 294 y(of)k(queries)g(to)g(the)g (in)o(ternal)g(DNS)f(serv)o(ers.)35 b(The)19 b(resolv)o(er)g(did)g(not)g(see) g(the)h Fh(ICMP)e Fi(rejections,)i(and)f(p)q(erceiv)o(ed)37 344 y(the)c(problem)e(only)g(as)h(a)g(timeout.)j(Ev)o(en)o(tually)m(,)12 b(it)i(w)o(ould)f(switc)o(h)i(to)e(the)i(next)g(serv)o(er)g(in)f(the)g Fh(NS)g Fi(list;)f(un)o(til)g(then,)37 394 y(retransmissions)e(to)f(the)h (original)e(serv)o(er)j(w)o(ould)e(generate)i(new)f(b)q(ounce)g(messages.)17 b(A)11 b(similar)d(situation)i(existed)h(in)37 444 y(the)h Fh(MX)f Fi(records.)19 b(A)11 b(mo)q(derately-large)f(n)o(um)o(b)q(er)g(of)h (gatew)o(a)o(ys)g(w)o(ere)h(sho)o(wn;)f(only)g(the)g(least-desirable)h(ones,) g(b)o(y)f(the)37 493 y(included)h(metrics,)f(w)o(ere)h(reac)o(hable)f(from)f (the)h(outside.)18 b(Th)o(us,)11 b(mail)e(deliv)o(eries)i(to)g(this)g(site)h (w)o(ere)g(quite)f(exp)q(ensiv)o(e;)37 543 y(a)h(long)f(list)g(of)g(failures) h(had)f(to)h(b)q(e)g(endured)h(b)q(efore)g(a)e(successful)j(connection)e(w)o (as)g(established.)18 b(The)12 b(problem)f(w)o(as)37 593 y(comp)q(ounded)i(b) o(y)g(the)h(apparen)o(t)g(inabilit)o(y)d(of)i(our)g(lo)q(cal)g Fh(TCP)f Fi(to)i(pro)q(cess)h Fh(Destination)k(Unreachable)11 b Fi(messages)37 643 y(at)j(this)g(p)q(oin)o(t;)f(instead,)h(the)g (connection)h(attempts)e(had)h(to)g(time)e(out,)i(a)f(length)o(y)h(pro)q (cess.)100 694 y(The)j(ro)q(ot)g(cause)i(of)d(these)j(failures)d(is)h(not,)h (strictly)f(sp)q(eaking,)h(a)e(proto)q(col)h(problem.)27 b(Rather,)17 b(there)i(is)e(an)37 744 y(op)q(erational)g(w)o(eakness)h(in)e(the)i (existing)f(name)e(serv)o(er)k(implemenatio)o(ns.)25 b(Clearly)m(,)16 b(the)i(administrator)d(did)i(not)37 794 y(w)o(an)o(t)f(us)h(to)f(try)h(to)f (reac)o(h)h(the)g(blo)q(c)o(k)o(ed)g(hosts.)26 b(Ideally)m(,)15 b(the)i(answ)o(ers)g(returned)h(b)o(y)e(their)h(DNS)f(serv)o(ers)j(should)37 844 y(b)q(e)f(\014ltered:)26 b(outsiders)18 b(should)g(nev)o(er)g(receiv)o(e) g Fh(NS)f Fi(or)h Fh(MX)e Fi(records)j(naming)c(suc)o(h)j(hosts.)29 b(But)18 b(there)h(is)e(no)g(easy)37 894 y(w)o(a)o(y)c(to)g(do)f(this.)18 b(What)13 b(is)g(needed)h(is)f(some)f(sort)i(of)e(general)h(\014ltering)g (language)f(for)h(the)g(name)f(serv)o(er,)j(sp)q(ecifying)37 943 y(comm)o(unities)d(of)h(in)o(terest)i(and)f(what)g(records)h(they)f(are)h (allo)o(w)o(ed)d(to)i(see.)100 995 y(W)m(e)i(are)h(not)f(claiming)d(that)k (suc)o(h)g(a)f(mec)o(hanism)e(is)i(a)g(securit)o(y)i(feature.)26 b(Unless)17 b(and)f(un)o(til)g(authen)o(tication)37 1045 y(is)j(added)f(to)g (the)h(DNS,)f(the)g(lev)o(el)g(of)g(securit)o(y)h(it)f(could)g(pro)o(vide)g (is)g(fairly)f(lo)o(w.)30 b(Rather,)19 b(w)o(e)g(are)f(lo)q(oking)f(for)37 1095 y(p)q(erformance)e(impro)o(v)o(emen)o(ts,)e(and)i(for)f(the)i (elimination)c(of)i(these)j(unneeded)f(and)f(un)o(w)o(an)o(ted)g(pac)o(k)o (ets)h(aimed)e(at)37 1144 y(inside)g(hosts.)37 1270 y Fa(4.2)56 b(A)19 b(DNS)g(Virus?)37 1349 y Fi(As)14 b(noted)f(ab)q(o)o(v)o(e,)f (incorrect)i(DNS)e(information)e(exists.)18 b(It)13 b(is)f(not)h(clear)g(wh)o (y)f(this)h(happ)q(ens;)h(that)e(it)h(do)q(es)g(happ)q(en)37 1399 y(is)g(indisputable.)k(W)m(orse)12 b(y)o(et,)g(the)h(incorrect)h (information)9 b(can)k(spread.)18 b(If)12 b(a)g(site)h(that)f(has)h(a)f(bad)g (resource)i(record)37 1449 y(is)g(queried)f(ab)q(out)g(it,)g(the)h(serv)o(er) g(will)e(blithely)g(return)j(the)f(erroneous)g(information,)c(thereb)o(y)k (con)o(taminating)d(the)37 1499 y(cac)o(he)i(of)f(another)g(site.)18 b(W)m(e)11 b(th)o(us)i(ha)o(v)o(e)f(something)e(with)i(c)o(haracteristics)i (akin)d(to)g(a)h(virus:)17 b(a)12 b(m)o(utan)o(t)e(record)j(that)37 1549 y(uses)j(standard)e(facilities)f(to)h(repro)q(duce)i(itself.)i(It)c (\\wins")f(if)h(it)f(can)h(infect)h(a)e(high-lev)o(el)g(serv)o(er,)i(thereb)o (y)h(causing)37 1599 y(it)e(to)g(spread)h(to)e(almost)f(an)o(y)o(one)i(who)f (tries)i(to)f(\014nd)g(out)g(the)g(correct)i(address)f(for)e(the)i (destination.)100 1650 y(The)e(w)o(ord)g(\\m)o(utan)o(t")e(ma)o(y)m(,)f(in)i (fact,)h(b)q(e)g(literally)f(correct.)19 b(One)14 b(p)q(ossible)f (explanation)f(for)g(the)i(origin)d(of)i(suc)o(h)37 1700 y(records)h(is)e (undetected)i(corruption)e(of)g(DNS)f(data)h(while)f(in)h(transit.)17 b(This)12 b(is)g(not)g(at)g(all)e(unlik)o(ely)m(,)h(esp)q(ecially)h(since)37 1750 y(at)i(least)f(one)g(ma)r(jor)f(v)o(endor)h(ships)h(mac)o(hines)e(with)h Fh(UDP)f Fi(c)o(hec)o(ksum)i(v)n(alidation)c(and)j(generation)h(disabled.)j (Other)37 1799 y(causes)f(include)e(address)h(and)f(name)f(c)o(hanges)h(to)g (name)f(serv)o(ers.)20 b(If)14 b(not)g(done)g(carefully)m(,)f(at)g(b)q(oth)h (the)h(delegating)37 1849 y(site)h(and)f(the)h(primary)e(and)h(secondary)h (serv)o(ers)h(for)e(the)h(zone,)g(records)g(con)o(taining)f(the)g(union)g(of) g(b)q(oth)g(old)g(and)37 1899 y(new)g(information)c(will)h(b)q(e)j (propagated.)j(W)m(e)13 b(ha)o(v)o(e)h(seen)h(this)f(failure)f(mo)q(de)g(in)g (our)h(in)o(ternal)g(net)o(w)o(ork.)37 2024 y Fa(4.3)56 b(Rejected)17 b(DNS)i(Messages)37 2104 y Fi(Our)13 b Fh(ICMP)e Fi(detected)j(a)e (surprisingly)f(large)h(n)o(um)o(b)q(er)f(of)h Fh(Port)21 b(Unreachable)9 b Fi(messages,)j(most)f(of)g(them)g(to)h(or)g(from)37 2154 y(p)q(ort)19 b(53,)g(the)g(DNS)f(p)q(ort.)32 b(Suc)o(h)19 b(messages)f (suggest)i(that)e(a)g(DNS)h(resp)q(onse)h(has)e(arriv)o(ed)h(after)g(the)g (querying)37 2204 y(pro)q(cess)e(has)d(terminated.)20 b(Most)15 b(lik)o(ely)m(,)d(these)k(indicate)e(that)h(more)e(than)i(one)g(pac)o(k)o(et) f(w)o(as)h(sen)o(t)g(out)g(for)f(a)g(giv)o(en)37 2254 y(query)m(,)f(with)f (some)g(resp)q(onses)j(dela)o(y)o(ed)e(o)o(v)o(erly)f(long)g(in)g(transit.)18 b(Ab)q(out)13 b(65\045)e(of)i(the)g Fh(ICMP)f Fi(messages)g(w)o(ere)i(to)f (and)37 2303 y(from)h(pro)q(cesses)k(on)d(the)g(lo)q(cal)f(mac)o(hine,)g (indicating)g(that)h(our)g(o)o(wn)g(queries)h(w)o(ere)g(rep)q(eated.)24 b(The)15 b(rest)i(indicate)37 2353 y(that)d(the)h(lo)q(cal)e(DNS)h(serv)o(er) h(sen)o(t)g(bac)o(k)f(late)f(resp)q(onses)k(to)c(outside)h(inquiries.)100 2405 y(DNS)h(queries)h(are)g(in)f(some)f(sense)j(a)e(parasitic)g(load.)21 b(There)c(is)e(generally)g(no)g(v)n(alue)f(to)h(the)h(information)d(p)q(er)37 2455 y(se;)j(rather,)f(a)f(DNS)g(query)h(generally)f(indicates)h(a)f(desire)i (to)e(op)q(en)h(up)g(a)f(useful)h(connection)g(for)f(things)g(lik)o(e)g(mail) 37 2504 y(deliv)o(ery)m(.)29 b(A)17 b(lo)q(cally-generated)g(query)h(means)f (that)g(our)h(host)f(wishes)h(to)g(send)g(information;)e(a)h(remote)g(query) 37 2554 y(means)e(that)g(someone)f(w)o(an)o(ts)h(to)g(send)h(something)d(to)i (us.)22 b(Accordingly)m(,)14 b(w)o(e)h(compared)g(the)g(n)o(um)o(b)q(er)g(of) f(lo)q(cally-)37 2604 y(generated)e(rejections)g(with)f(the)g(n)o(um)o(b)q (er)f(of)g(outgoing)f(calls)i(during)f(the)h(same)f(p)q(erio)q(d,)h(and)g (the)g(n)o(um)o(b)q(er)f(of)g(remote)37 2654 y(rejections)17 b(of)e(our)g(DNS)g(resp)q(onses)j(with)c(the)i(n)o(um)o(b)q(er)f(of)g (incoming)e(calls.)21 b(The)16 b(results)g(w)o(ere)h(alarmingl)o(y)c(high,)37 2704 y(on)f(the)h(order)g(of)e(50-60\045.)16 b(That)c(is,)g(ab)q(out)g(half)f (the)i(connections)g(made)e(in)o(v)o(olv)o(ed)f(rep)q(eated)k(DNS)e (inquiries,)g(with)p eop %%Page: 5 5 4 bop 37 45 a Fi(the)14 b(rep)q(etition)g(due)f(to)g(CPU)h(or)f(net)o(w)o (ork)g(load.)k(Giv)o(en)c(that)g(man)o(y)e(calls)i(can)g(b)q(e)h(made)e (solely)g(with)h(reference)j(to)37 95 y(the)e(DNS)f(cac)o(he,)h(it)f(w)o (ould)f(seem)h(that)h(either)g(resolv)o(er)g(retransmit)f(timers)f(are)i(set) g(m)o(uc)o(h)e(to)q(o)h(lo)o(w,)f(or)h(that)g(there)37 145 y(is)h(some)f(unsusp)q(ected)k(name)12 b(serv)o(er)k(bug)e(that)g(causes)h (unneeded)g(transmissions.)100 195 y(The)c(quan)o(titativ)o(e)e(asp)q(ects)k (of)c(this)i(analysis)f(are)h(somewhat)e(susp)q(ect.)19 b(There)12 b(are)f(t)o(w)o(o)f(serv)o(ers)i(for)f(our)f(domain,)37 245 y(and)i(t)o(w)o(o)f(gatew)o(a)o(ys;)h(w)o(e)g(are)h(only)e(monitoring)e(one)j (of)f(eac)o(h.)18 b(Conceiv)n(ably)m(,)10 b(our)i(serv)o(er)h(is)f(seeing)g (a)g(disprop)q(ortion-)37 295 y(ate)k(n)o(um)o(b)q(er)f(of)g(DNS)g(queries)h (compared)f(with)g(the)h(n)o(um)o(b)q(er)f(of)f(in)o(b)q(ound)h(mail)e (messages.)23 b(But)16 b(w)o(e)f(did)g(see)i(the)37 344 y(same)10 b(results)i(for)e(outb)q(ound)h(messages,)f(when)h(the)h(confounding)d (factor)i(w)o(as)f(absen)o(t.)18 b(W)m(e)10 b(plan)g(to)g(in)o(v)o(estigate)g (this)37 394 y(further,)15 b(deplo)o(ying)d(appropriate)i(monitors)e(on)h(b)q (oth)h(mac)o(hines.)j(W)m(e)c(also)h(plan)f(to)g(trap)h(and)f(analyze)h (sequences)37 444 y(of)j(DNS)g(queries,)h(resp)q(onses,)i(and)c(rejections,)j (an)e(in)o(v)o(estigation)e(our)i(curren)o(t)i(monitoring)14 b(con\014guration)j(do)q(es)37 494 y(not)d(p)q(ermit.)37 634 y Fj(5)70 b(Conclusions)37 726 y Fi(T)m(o)13 b(some,)f(our)h(observ)n(ations) g(can)g(b)q(e)h(summarized)d(succinctly)j(as)f(\\bugs)g(happ)q(en".)18 b(That)13 b(certainly)g(is)g(not)g(news.)37 775 y(But)j(dismissing)e(our)h (results)h(so)f(ca)o(v)n(alierly)f(misses)h(the)h(p)q(oin)o(t.)21 b(Y)m(es,)16 b(bugs)f(happ)q(en.)23 b(But)16 b(bugs)f(can)h(b)q(e)f(\014xed)h (|)37 825 y Fb(if)i Fi(they)g(are)g(detected.)32 b(The)19 b(In)o(ternet)g (is,)f(as)g(a)f(whole,)h(w)o(orking)f(remark)n(ably)f(w)o(ell.)29 b(Huge)19 b(soft)o(w)o(are)e(pac)o(k)n(ages)37 875 y(\(i.e.,)d Fh(X11R5)p Fi(\))f(can)i(b)q(e)g(distributed)g(electronically)m(.)k (Connections)c(span)f(the)h(glob)q(e.)k(But)c(the)g(v)o(ery)g(success)i(of)d (the)37 925 y(In)o(ternet)i(mak)o(es)d(some)g(bugs)h(in)o(visible.)100 975 y(Because)k(of)e(our)g(monitoring,)e(w)o(e)i(are)h(able)f(to)g(sp)q(ot)g (certain)h(classes)h(of)d(misb)q(eha)o(vior)g(that)h(are,)h(in)f(general,)37 1025 y(not)f(seen.)23 b(Unfortunately)m(,)14 b(unlik)o(e)g(our)h(securit)o(y) h(logging)d(recommendations[Bel92b)n(],)h(man)o(y)f(of)i(the)g(tec)o(hniques) 37 1075 y(discussed)h(here)g(are)e(not)h(practical)f(elsewhere.)21 b(T)m(rying)13 b(to)h(analyze)g(b)q(ogus)g(IP)h(destination)f(addresses)i(on) e(a)g(busy)37 1125 y(Ethernet)i(cable)d(do)q(es)i(not)e(w)o(ork,)g(for)g (example.)j(But)f(the)f(underlying)f(problems)f(they)i(are)g(symptomatic)d (of)i(ha)o(v)o(e)37 1174 y(not)19 b(thereb)o(y)h(gone)f(a)o(w)o(a)o(y)m(.)31 b(W)m(e)18 b(therefore)j(suggest)e(that,)h(di\016culties)e(not)o (withstanding,)h(others)h(mak)o(e)d(similar)37 1224 y(e\013orts)e(to)d (instrumen)o(t)h(at)g(least)g(p)q(ortions)g(of)f(their)h(net)o(w)o(orks.)19 b(That)12 b(is)h(the)h(only)e(w)o(a)o(y)g(some)g(of)h(these)h(subtle)f(\(and) 37 1274 y(not)h(so)g(subtle\))h(problems)e(will)f(b)q(e)j(detected)h(and)d (eliminated.)37 1414 y Fj(References)95 1506 y Fi([Bel89])19 b(Stev)o(en)d(M.)e(Bello)o(vin.)19 b(Securit)o(y)c(problems)f(in)g(the)h (TCP/IP)f(proto)q(col)h(suite.)20 b Fb(Computer)15 b(Communi-)239 1555 y(c)n(ations)g(R)n(eview)p Fi(,)f(19\(2\):32{48,)d(April)i(1989.)74 1640 y([Bel92a])19 b(Stev)o(en)g(M.)e(Bello)o(vin.)29 b(\\Helpful")17 b(self-con\014guring)g(programs.)29 b Fb(RISKS)19 b(Digest)p Fi(,)g(13\(25\),)f(Marc)o(h)g(5)239 1690 y(1992.)72 1775 y([Bel92b])h(Stev)o (en)c(M.)f(Bello)o(vin.)k(There)e(b)q(e)f(dragons.)k(In)14 b Fb(Pr)n(o)n(c.)h(UNIX)g(Se)n(curity)g(Symp)n(osium)h(III)p Fi(,)d(pages)i(1{16,)239 1825 y(Baltimore,)d(Septem)o(b)q(er)i(1992.)88 1910 y([Bra89])19 b(R.T.)d(Braden,)j(ed.)28 b Fb(R)n(e)n(quir)n(ements)18 b(for)f(Internet)h(hosts)g(-)g(c)n(ommunic)n(ation)g(layers.)p Fi(,)f(Octob)q(er)i(1989.)239 1960 y(RF)o(C)14 b(1122.)42 2045 y([CFSD90])19 b(J.D.)14 b(Case,)g(M.)g(F)m(edor,)f(M.L.)h(Sc)o(ho\013stall,)f (and)h(C.)g(Da)o(vin.)j Fb(Simple)e(Network)g(Management)h(Pr)n(oto)n(c)n(ol) 239 2094 y(\(SNMP\))p Fi(,)e(Ma)o(y)g(1990.)j(RF)o(C)c(1157.)82 2179 y([Che90])20 b(W.R.)14 b(Cheswic)o(k.)23 b(The)16 b(design)g(of)f(a)g (secure)i(in)o(ternet)g(gatew)o(a)o(y)m(.)k(In)16 b Fb(Pr)n(o)n(c.)g(Summer)g (USENIX)g(Con-)239 2229 y(fer)n(enc)n(e)p Fi(,)d(Anaheim,)f(June)j(1990.)82 2314 y([Che92])20 b(W.R.)12 b(Cheswic)o(k.)18 b(An)13 b(ev)o(ening)h(with)f (Berferd,)i(in)e(whic)o(h)g(a)g(crac)o(k)o(er)i(is)e(lured,)h(endured,)g(and) f(studied.)239 2364 y(In)h Fb(Pr)n(o)n(c.)g(Winter)h(USENIX)g(Confer)n(enc)n (e)p Fi(,)f(San)f(F)m(rancisco,)h(Jan)o(uary)g(1992.)96 2449 y([KL86])19 b(Brian)14 b(Kan)o(tor)g(and)g(Phil)f(Lapsley)m(.)18 b Fb(Network)13 b(News)i(T)m(r)n(ansfer)e(Pr)n(oto)n(c)n(ol)p Fi(,)g(F)m(ebruary)i(1986.)h(RF)o(C)e(977.)76 2534 y([Mo)q(c87])19 b(P)m(.V.)13 b(Mo)q(c)o(k)n(ap)q(etris.)19 b Fb(Domain)c(Names)g(|)g(Conc)n (epts)h(and)f(F)m(acilities)p Fi(,)e(No)o(v)o(em)o(b)q(er)g(1987.)k(RF)o(C)c (1034.)91 2619 y([Plu82])19 b(D.C.)13 b(Plummer.)j Fb(Ethernet)e(A)n(ddr)n (ess)h(R)n(esolution)g(Pr)n(oto)n(c)n(ol)p Fi(,)e(No)o(v)o(em)o(b)q(er)g (1982.)k(RF)o(C)c(826.)90 2704 y([P)o(os81])19 b(Jon)14 b(B.)g(P)o(ostel.)k Fb(Internet)d(Contr)n(ol)f(Message)i(Pr)n(oto)n(c)n(ol)p Fi(,)d(Septem)o(b)q (er)h(1981.)j(RF)o(C)c(792.)p eop %%Page: 6 6 5 bop 37 45 a Fi([PPTT90])20 b(Rob)f(Pik)o(e,)h(Da)o(v)o(e)f(Presotto,)j(Ken) e(Thompson,)f(and)g(Ho)o(w)o(ard)g(T)m(ric)o(k)o(ey)m(.)34 b(Plan)19 b(9)g(from)f(Bell)h(Labs.)239 95 y(In)h Fb(Pr)n(o)n(c)n(e)n(e)n (dings)g(of)g(the)h(Summer)f(1990)h(UKUUG)f(Confer)n(enc)n(e)p Fi(,)g(pages)g(1{9,)g(London,)g(July)g(1990.)239 145 y(UKUUG.)95 228 y([RP90])f(Jo)o(yce)c(K.)f(Reynolds)f(and)h(Jon)g(B.)g(P)o(ostel.)k Fb(Assigne)n(d)d(numb)n(ers)p Fi(,)e(Marc)o(h)i(1990.)i(RF)o(C)c(1060.)85 311 y([Sun88])19 b(Sun)c(Microsystems,)e(Inc.)20 b Fb(RPC:)14 b(R)n(emote)i(Pr)n(o)n(c)n(e)n(dur)n(e)e(Cal)r(l)h(Pr)n(oto)n(c)n(ol)f(Sp)n (e)n(ci\014c)n(ation)i(V)m(ersion)f(2)p Fi(,)f(June)239 361 y(1988.)j(RF)o(C)d(1057.)85 444 y([Sun90])19 b(Sun)10 b(Microsystems,)g (Inc.,)g(Moun)o(tain)f(View,)h(CA.)h Fb(Network)f(Interfac)n(es)g(Pr)n(o)n (gr)n(ammer's)g(Guide)p Fi(,)g(Marc)o(h)239 493 y(1990.)17 b(SunOS)e(4.1.)p eop %%Trailer end userdict /end-hook known{end-hook}if %%EOF