[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Moked Req #10376] Revised security alert (fwd)
I hope this closes this crazy issue and flame war.
peace.
--Asher
---------- Forwarded message ----------
Last week a security alert was sent to all ISPs in Israel in regards to
beirut.leb.net. During the past week I have examined logs and exchanged
emails with the sysadmin of leb.net. beirut.leb.net performs a Queso
scan of all European Internet systems to determine what type of
operating system is being run. This survey is posted at:
http://www.hzo.cubenet.de/ioscount/
The principle of the survey goes like this: There are 7 different
packets sent to the host to query. These packets trigger a maximum of 7
answer packets. To cope with packet loss each of the 7 packet is sent
twice. Therefore, every host gets 14 packets in total. If the host
answers before 6 seconds has elapsed, the answer is evaluated. Otherwise
the target host is counted as not responding.
To find out which query packet triggered which answer, every query
packet which is sent to a host uses a different return port address. If
Queso gets an answer which comes in at port 10568 it knows which query
packet triggered this answer.
The 7 packets sent are:
0 SYN
1 SYN+ACK
2 FIN
3 FIN+ACK
4 SYN+FIN
5 PSH
6 SYN+XXX+YYY * XXX & YYY are unused TCP flags
[For further technical info see: http://www.apostols.org/projectz/queso]
What has occurred is that these Queso scans (Israel's web servers at
port 80 were scanned) are being mistaken by some as port scans for
hacking purposes. This mistaken assumption has occurred in other
European countries as well, but the mistaken assumption was corrected
after leb.net was contacted. I have not seen any proof to date that
implicates beirut.leb.net as the source of hacking attacks on Israeli
systems. Therefore, it is recommended to remove any packet filters that
have been introduced to block 206.127.55.2.
Incidentally, all Israeli systems have been removed from the Queso
scanning system as of Friday Oct 23. We will be asking them to
reinstate Israel to this important Internet survey.
Please distribute this to any lists you may previously distributed my
original posting.
Hank Nussbacher
ISOC-IL Board member