About the "2301
- Loopback" Traffic
If you attended any of my sessions at
BrainShare/Nice, you saw some really unusual traffic on the
network -- traffic from 127.0.0.1 to the broadcast address
255.255.255.255. Get the Sniffer
trace file.
The Sniffer Pro did not decode the upper
layers of the traffic. This strange traffic was all UDP-based
with source and destination port values of 2301. Referencing
IANA's port number information (thanks to the gentleman who
looked it up during the session), we can see that port 2301
is assigned to "Compaq-HTTP." Well, let me tell
you -- that's like no other web browsing traffic I've ever
seen...!
How did we locate this strange traffic
among the zillions (a technical term, I assure you) of packets
cruising around the conference center? I opened up the matrix
window to show one group how the traffic can be viewed based
on MAC (hardware), IP or IPX address. When I clicked on the
IP tab, the 127.0.0.1 address just nearly jumped out and hit
me in the face (ok.. I've been doing this a long time... maybe
too long, eh?).
When we send packets to 127.0.0.1, we're
performing a loopback test of some sort. The strange packets
we noted at the conference were sent from 127.0.0.1. This
means that if the receiver wants to reply, it should send
the reply to.... itself! Kind of a 'Go f......talk to yourself'
packet, eh? Not in good taste, at all...
The Status
The Compaq contact I spoke to at the
show did state this was most likely an 'Insight Manager' issue
and he gave me an email to send the trace off to. He admitted
that it was not a good thing to have the loopback-based traffic
cruising along the network in the first place.
As I await their response as to why Insight
Manager would perform such a strange operation, I decided
to see if they stated the purpose of Port 2301 on their website
(check out http://www.compaq.com/support/files/server/US/download/9608.html).
What I found was a little interesting tidbit regarding the
security issues involved to be heeded:
"SP16318.EXE: This update
fixes a potential security vulnerability in Compaq web-enabled
management software. Compaq strongly recommends that
you update your software as soon as possible. Compaq
management software running any Web Based Enterprise
Management Agent or Utility that resides on port 2301
can act as generic proxy server.
Internal traffic going out to the
Internet can bypass a normal proxy server filtering
by using TCP/IP port 2301 and external traffic may be
able to infiltrate internal networks if there is no
additional firewall protection.
PRODUCTS AFFECTED:
Compaq Insight Management Agents
for Servers
Compaq Survey Utility Compaq Power Management
Compaq Intelligent Cluster Administrator
Compaq Availability Agents Compaq Insight Manager XE"
|
Given the many warnings that I mentioned
regarding hackers and general security issues (and port spanning),
I recommend that you check out this document and consider
upgrading your web-enabled management software.
I am still awaiting information regarding
the purpose of (and termination of) broadcast transmissions
from 127.0.0.1.
Got other ideas for articles/documentation
or training? Send email directly to Laura at lchappell@packet-level.com.
Laura Chappell
Sr. Protocol Analyst
Copyright 2000 Protocol Analysis Institute, L.L.C.
Other Articles:
• Catching
the Lovsan Worm in Action [PDF]
• Time is of the Essence
• The Wonderful Thing About Triggers...
[PDF]
• The Pain of Gnutella
• About the 2301 Traffic
• 10 Cool Things You Can Do with the EtherPeek
Demo [PDF]
• Basic Packet Filtering [PDF]
• Advanced Packet Filtering [PDF]
• Looking at the Sniffer Dashboard [PDF]
• TrenchTime: Ports to Watch
• Did Your Know: Wireless Networks are Not Immune
to Sniffing? [PDF]
• The 10 Truths of Network Troubleshooting
[PDF]
• Carnivore? [PDF]
• Sniffer: Using the Capture Panel [PDF]
|
