Working new solution on four more

Splash two.

Proxy reporting

In the 169 range of “special use” servers sponsored by ICANN are in fact used to spy on America. IP address http://169.254.185.199/ is one such example.

IGMP snooping is the process of listening to Internet Group Management Protocol (IGMP) network traffic. IGMP snooping, as implied by the name, is a feature that allows a network switch to listen in on the IGMP conversation between hosts and routers. By listening to these conversations the switch maintains a map of which links need which IP multicast streams. Multicasts may be filtered from the links which do not need them.

A switch will, by default, flood multicast traffic to all the ports in a broadcast domain (or the VLAN equivalent). Multicast can cause unnecessary load on host devices by requiring them to process packets they have not solicited. When purposefully exploited this is known as one variation of a denial-of-service attack. IGMP snooping is designed to prevent hosts on a local network from receiving traffic for a multicast group they have not explicitly joined. It provides switches with a mechanism to prune multicast traffic from links that do not contain a multicast listener (an IGMP client).

IGMP snooping allows a switch to only forward multicast traffic to the links that have solicited them. Essentially, IGMP snooping is a layer 2 optimization for the layer 3 IGMP. IGMP snooping takes place internally on switches and is not a protocol feature. Snooping is therefore especially useful for bandwidth-intensive IP multicast applications such as IPTV.

IGMP snooping with proxy reporting or report suppression actively filters IGMP packets in order to reduce load on the multicast router.^[1] Joins and leaves heading upstream to the router are filtered so that only the minimal quantity of information is sent. The switch is trying to ensure the router only has a single entry for the group, regardless of how many active listeners there are. If there are two active listeners in a group and the first one leaves, then the switch determines that the router does not need this information since it does not affect the status of the group from the router’s point of view. However the next time there is a routine query from the router the switch will forward the reply from the remaining host, to prevent the router from believing there are no active listeners. It follows that in active IGMP snooping, the router will generally only know about the most recently joined member of the group.

Borrowed from wikipedia.

Sleepers-Snow leopards (we use them too..) make excellent sleepers using a series of sleep proxy commands similar to

2143    996    192.168.1.2    224.0.0.251    MDNS    Standard query PTR _sleep-proxy._udp.local, “QM” question

just outside your computer. (if it has no firewall) A sleeping server only activates when there is activity, when there is not,  sleeps again. If you run a firewall the sleeper uses a udp connection to access the inside of your firewall.

Oddly we found the excerpt of the following article somewhat unnerving:

Multicast DNS (mDNS) is a protocol that uses similar APIs to the unicast DNS system but implemented differently. Each computer on the LAN stores its own list of DNS records (e.g. A, MX, PTR, SRV, etc) and when an mDNS client wants to know the IP address of a PC given its name, the PC with the corresponding A record replies with its IP address. Wikipedia

The problem with mDNS is that it is spoof-able. Here is how it works. A mDNS enabled client will perform a mDNS query on a multicast address. All clients that listen on that address will respond back with their names. Now if we have two clients with the same name, who ever is the first, wins. So for example, if your word processing application decides to print a document by looking for printer.local, attackers can easily send a respond to that DNS query with a forged answer which instructs to look for the printer on a different IP address. Therefore, successfully hijacking/poisoning the local name for a duration of time.

On WiFi networks this type of attack might not be as useful because just picking up the DNS packets from the air and injecting forged DNS responses is easy, but there are many cases where mDNS attacks prove to be very, very useful. One such case is when performing enumeration. Due to the fact that most devices support mDNS to one degree or another, with a single multicast packet, attackers can learn plethora of useful things such as the available devices’ versions and types, administrative URLs, email addresses of the owners, support information, etc, etc, etc.

http://www.gnucitizen.org/blog/name-mdns-poisoning-attacks-inside-the-lan/

169.254.185.199

The above ip address has created botnets through the use of slammer worm attacks, a mixture of the sql slammer worm and mal-bots that when you repair your MBR (main boot record) the bots remain and can be called upon by the attacker  at any given time. China has been using XP and ubuntu for botnets for the past eight years. With ubuntu, it attacks the MBR through the grub loader. China has created more than 55,000 botnets in 2010.

ICANN denies that these events are occuring, however, we plan to call them on this.

Doc