Software, technology, sysadmin war stories, and more. Feed
Thursday, July 7, 2011

Mind your octets and insist on TLS

Anyone with a fair amount of IP space probably has a lot of random trash traffic headed their way. There are ping probes, port scans, broken packets, and other crazy martian stuff just flying around. Those are only somewhat interesting. What got me wondering one night was the appearance of queries which seemed legitimate but just misdirected. What was going on there?

There were patterns in my data. While all of the hosts in one of my bigger networks would receive a fair spread of random gunk, some of them would get specific things far more than the others. Some would receive packets which never wound up anywhere else. Sometimes there would be patterns, like only .11 and .12 getting innocent-looking DNS requests.

I figured it would be possible to find out what was going on by just answering some of these questions. It was simple enough to swing those target addresses around to a real Linux box, and there I just stood up BIND with a wildcard entry in a fake . zone. I just had it answer all incoming DNS queries with a response that was yet another address in my space.

That's when it got weird. Upon serving up a reply, I'd start getting new types of traffic at that IP address. This time, the incoming connections were TCP, and they were headed to ports like 25, 110, and 143. Now this random mystery host was trying to send or receive mail! A little more fiddling and pretending to be various daemons by hand confirmed exactly that.

I later found out that some big ISP had their nameservers side by side at addresses ending in .11 and .12, but they were otherwise one digit off from my space. Someone must have typed it in incorrectly, and the rest was obvious.

This little experiment gave me an idea which I did not implement. What if you set up a machine which did nothing but attempt to speak as many protocols as possible? Answer all DNS queries with your own IP address, then pretend to be a POP or IMAP server or whatever. You can gather login data from that, or via SMTP AUTH attempts. It could even be given an aura of legitimacy by having a fancy-looking "firewall status page" running on its web server where it shows what it's captured.

One wonders if this has already happened somewhere.