argus 3.0.3 decodes certain UDP packets incorrectly as IPv6

Carter Bullard carter at qosient.com
Tue Sep 28 09:50:37 EDT 2010 

Hey Phillip,
I used the paper as a guide in the original implementation.  Most of the checks that they
have are intended for Teredo receiver discards (packets that don't qualify) but I was trying
to see where someone was doing something bad, and so I can't really not track the bad
packets.

I did attempt to look for Teredo control packets, 1) bubble packets (which is a good indicator),
2) router advertisements (RA) and 3) router solicitation (RS) messages, to serve as a hint,
but I didn't get many cycles this summer to implement it completely.

The games Teredo is playing to discover if its behind a NAT device maybe useful, but
it assumes that you see all the packets at the argus, and that is not a given.

Terry sent some good packets that are not Teredo, so I'll play with it some in the next few weeks.
To turn it off use this patch:

==== //depot/argus/argus/argus/ArgusModeler.c#87 - /Users/carter/argus/argus/argus/ArgusModeler.c ====
676c676
<                      retn = ArgusProcessUdpHdr(model, ip, length);
---
> //                   retn = ArgusProcessUdpHdr(model, ip, length);


Carter

On Sep 28, 2010, at 9:04 AM, Phillip G Deneault wrote:

> On Tue, 28 Sep 2010, Terry Burton wrote:
> 
>> It would appear that the test (ipv6->ip6_vfc & IPV6_VERSION_MASK) ==
>> IPV6_VERSION results in quite a number of mis-detections from certain
>> kinds of UDP traffic - VMware heatbeating is one such example.
>> 
>> Perhaps this test can be strengthened by including checks for the
>> UDP/3544 port within the IPv4 data and for the standard 2001:0000::/32
>> address prefix within the encapsulated IPv6 data?
> 
> Can I take this opportunity to ask, how is this type of traffic handled, (i.e. Teredo) these days?  Does argus display the outer-most encapsulation or the inner-most?  Is there a way to get both levels displayed?
> 
> Also, there has been some analysis of Teredo which suggests a method for accurately identifying traffic.  Starting on page 32 here:
> http://www.symantec.com/avcenter/reference/Teredo_Security.pdf
> 
> Also in that document is a line which states the 2001:0000/32 prefix is only for more modern implementations, but I wouldn't worry about that as I don't think there are too many older implementations in use.  I personally think using 2001:0000/32 is better criteria than udp/3544 because the latter is just a default port between client and server.
> 
> Phil
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100928/39ac29a1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100928/39ac29a1/attachment.bin>

More information about the argus mailing list