[funsec] An interesting packet inspection problem
drsollyp at drsolly.com
Sat Jan 14 15:50:49 CST 2006
I'm having a very strange problem. I'm enclosing a test file, zipped
(you'll see why).
The file duff.12, is blocked somehow, and has been for the last two days
or so. It's a 43 byte file:
This is a test file
End of the file
But the x's are hexadecimal bc, six of them, and that's the "active
Because the blocking problem depends on the content of the file (files
without the "active ingredient" transfer just fine), I'm thinking it's
related to some kind of packet inspection, and that puts it into the
security area, probably. The string of 6 bc hex, might not be the only
possible "active ingredient", but it is one that I've narrowed down to.
I have three locations, call them Watford, Chesham and Vodafone. Watford
is my colocation (run by Cable and Wireless), Chesham is my home (ISP is
Nildram) and Vodafone is a laptop connected via the Vodafone network,
using GPRS over a mobile. I also have an AOL account.
When the file is blocked, it's blocked using ftp, http and telnet. It
isn't blocked if I Zip the file, or send it via ssh (because then the
"active ingredient" isn't there, it's encrypted).
Vodafone -> Watford OK
Watford -> Vodafone Blocked
AOL -> Watford OK
AOL -> Chesham OK
Watford -> Chesham Blocked
Chesham -> Watford Blocked
Vodafone -> Chesham OK
Chesham -> Vodafone Blocked
Watford -> Some guy in America - OK
Watford -> Some guy in Switzerland - Blocked
I put a server on the Watford location without any Firewall. Still
blocked. So it isn't my firewall (I didn't think it was, but it's good to
It's pretty strange that A -> B is blcoked, while B -> A isn't. Using the
Vodafone data, I can prove that it must be watford, but I can also prove
that it must be Chesham. Well, this implies that the problem is at *both*
Watford and Chesham, and must therefore be something that both Nildram and
Cable&Wireless use, but the only thing I can think of there, is the London
Interchange (Link), and I cannot believe that they would do any kind of
packet inspection, the volumes are simply ginormous.
The tech support people at Cable and Wireless (who seem to be Clueful)
are baffled, and I don't blame them.
With the data above, you can exponerate (or blame) Chesham and Watford.
Of course, that isn't the only file that gets blocked. It's a minimalist
My feeling is there's some box floating around, that's doing packet
inspection, and blocks anything that includes a sequence of six bc hex.
You can access my server in Chesham.
http://www.webinfosecurity.com/good.12 shows you a good file; that lets
you check that there's nothing blocking your access to my server
http://www.webinfosecurity.com/duff.12 is the 43 byte file that gets
If anyone can suggest a solution to this, I'd be very happy. As in "Oh, I
know what that is, it's the Furzewangle Carflugner, configured to prevent
Bagpeller attacks". But I'm not optimistic that anyone might.
But what I'd like people to do, is try to access the duff file, and if
their access fails, to send me a traceroute to www.webinfosecurity.com
As a reward, if I ever find out what is causing this rather interesting
(and for me, intensely frustrating) problem, I'll post it here.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 182 bytes
Desc: duff file, zipped
Url : http://linuxbox.org/pipermail/funsec/attachments/20060114/ad491727/duff.zip
More information about the funsec