digitalLegacy

David A. Bandel david
Mon Oct 17 12:41:37 PDT 2005 

Regurgitating the prose of Matthew Carpenter Matthew Carpenter
<matt at eisgr.com> on Mon, 3 Oct 2005 21:48:46 -0400: begin  
|:)
|
|
|On Wednesday 28 September 2005 09:07 pm, Collins Richey wrote:
|> On 9/28/05, Kurt Wall <kwall at kurtwerks.com> wrote:
|> > On Tue, Sep 27, 2005 at 09:52:19PM -0600, Collins Richey took 21 lines to 
|write:
|> > > On 9/27/05, Matthew Carpenter <matt at eisgr.com> wrote:
|> > > > -----BEGIN PGP SIGNED MESSAGE-----
|> > > > Hash: SHA1
|> > > >
|> > > > http://digitalLegacy.blogspot.com/
|> > >
|> > > Forbidden! Too bad we can't read that.
|> >
|> > Worked over here.
|>
|> Ahh, the mysteries of the internet. It works for me tonight.
|>
|

There are no mysteries.  I've been fighting a recurring problem for
over a year now:  one client on another network complains that often
during the day certain sites are not accessible, but are on the weekend
and at night.  

Finally, I got the same complaint from someone actually on my network.
Fired up tcpdump in one of my wireless bridges and found:

12:36:07.950195 64.116.183.28.1997 > 205.147.84.26.80: S
2208736126:220873636126(0) win 5840 <mss 1460,sackOK,timestamp 8327376
0,nop,wscale 2> (DF) 12:36:08.051422 64.255.255.0.80 >
64.116.183.28.1997: S 43968:43968 ack 2208736127 win 1024 <mss 1024>
12:36:08.059108 64.116.183.28.1997 > 64.255.255.0.80: R
2208736127:2208736127(0) win 0 (DF)

This _only_ happened from one IP, and continued to happen for hours.  I
only captured one page, but it's enough.  My IP, a neighbor of this
one, did not suffer from this problem going through the same route on
the Internet.

For the tcpdump challenged, the first line shows IP 64.116.183.28 going
out port 1997 to 205.147.84.26 on port 80 (web access).  The 'S' means
the SYN bit is set, the next two colon separated numbers are good
sequence numbers, window size is 5840, max segment size is 1460
(standard ethernet connection at mtu 1500), some other unimportant
juju, and the don't fragment (DF) bit is set.

The second line is an IP of 64.255.255.0 on port 80 answering
64.116.183.28 on port 1997 with SYN-ACK packet (the ack follows the
horrible Windoze sequence numbers) and it's ack'ing our sequence number
using a window of 1024 with mss 1024 (typical windoze stupidity) and no
DF.

An IP-Port-Sequence number is unique and postively identifies a bogus
host performing a NAT it shouldn't (the IP says GlobalMobile or some
such suggesting they NAT customers onto the Internet from wherever in
the world).

The third line is .28 sending a reset (RST) to 64.255.255.0 because we
weren't talking to it.

Turns out, the dynamic routing of the Internet mixed with some bad
Windoze programming is fsck'ing a lot of people (how do I know
Windoze?  because of the imbecilically simple sequence numbers based on
time -- I can watch them increment by one throughout the entire dump --
just crying for someone to do a man-in-the-middle attack on them).

I've been trying to contact these imbeciles (onecall.net), but their
phone number doesn't seem to work.  They've failed so far to respond to
my e-mails.  This kind of crap should be criminal.  May have to resort
to complaints to ARIN.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
		Nemesis Racing Team motto
GPG key autoresponder:  mailto:david_key at pananix.com

More information about the Linux-users mailing list