Wireshark-users: Re: [Wireshark-users] this traffic pattern indicates what?

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 1 Nov 2008 10:16:30 +0100

On Fri, Oct 31, 2008 at 04:58:48PM -0700, Linnea Wren wrote:
> 
>    I've been doing packet captures, and visually assessing/monitoring other
>    counters on the box to try to get a clue as to what, exactly, is the
>    problem.  Windows performance monitor shows incoming traffic to be minimal
>    (1-4% bandwidth utilization), outgoing traffic to be variable (brief
>    spikes up to 100% utilization, more commonly ranging around in the 10-50%
>    utilization range).

How about the CPU utilisation and disk IO?

[...]
>    In one file of 101,428 packets, this kind of traffic accounts for
>    approximately 25% of IP conversations, and 50% of TCP streams.

That's a big waste of your bandwidth and webserver capacity...

>    A typical example of one of these streams is:
> 
>    Client:
>    -GET http://updatem.360safe.com/safe/laneydefault.html HTTP/1.1

Tha fact that the hostname is in the GET request means that the
client initiating this request was indeed configured to use a 
proxy. A normal (direct) request would look like:

GET /safe/laneydefault.html HTTP/1.1
Host: updatem.360safe.com
...

>    -HTTP/1.1 302 Object moved
>    -Date: Fri, 31 Oct 2008 17:27:38 GMT
>    -Server: Microsoft-IIS/6.0
>    -P3P: CP="CAO PSA OUR CUSa"
>    -X-Powered-By: ASP.NET
>    -Location: laneydefault.html
>    -Content-Length: 138
>    -Content-Type: text/html
>    -Cache-control: private
>    -<head><title>Object moved</title></head>
>    -<body><h1>Object Moved</h1>This object may be found <a
>    HREF="laneydefault.html">here</a>.</body>

I would try to make IIS drop connections to unknown hosts, instead
of replying with a redirect. Or at least answer with a 404.

>    In that particular stream, the same request & response are repeated over
>    and over for 1,282 packets in 3.5 minutes.

That's because of the redirection with a relative URL instead of an 
absolute URL.

Say someone has "accidently" configured your server as their proxy
and requests http://updatem.360safe.com/safe/, your IIS is now 
telling it that the object has moved to
http://updatem.360safe.com/safe/laneydefault.html which again results in
a redirect to http://updatem.360safe.com/safe/laneydefault.html and so
on. You have created a loop which will of course swamp the server,
depending on the speed at which the client can issue the requests.


>    Source IP addresses are all over the place - I can't block this at our
>    firewall.
> 
>    The server has Cisco's Security Agent, but so far I haven't figured out if
>    there's a way to configure a rule to drop this traffic.

If you have an IDP, you might be able to create a ruleset that allows
requests with a header like "Host: yoursite.com" and blocks all other
requests. Or maybe some application layer filter in your firewall might
be able to do that.

>    So, is this evidence that people are trying to proxy through us?  If not,
>    what then?  I feel I could google for how to remediate this much more
>    effectively if I had a better idea of what search terms would be
>    applicable...

Yes, it seems like there are people probing your webserver to see
whether it is an open proxy. I'm not a webmaster, but I can imagine that
that's "normal" traffic these days :(  The real problem I think is the
loop that the 302 is creating. Have your server issue a 404 for every
unknown site and I think you will see an improvement in your servers
reachability.

Cheers,
    Sake