[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?

To: Frank Knobbe <frank@xxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?
From: TroyC <troy.coulombe@xxxxxxx>
Date: Tue, 09 Mar 2004 08:42:13 -0800

Yep noticed very similar things as well during scanning.  At the time I 
thought it might be due to the time of day or such.

I also noticed another behavior::: Different IP blocks based [seemingly] upon 
OS. My netgear rtr/ap gets a 24.x.x.x, however, my debian fw gets a 64.x.x.x 
adder... I spun up a different linux box and rcvd 64.x.x.x while a win2k 
vmware session on that same linux box rcvd a 24.x.x.x  ::: seems to be 
picking something up on the dhcp requests...

ps::: I may have the adders ass-backwards the linux boxes might have gotten 
64.x.x.x

TroyC

On Monday 08 March 2004 18:28, Frank Knobbe wrote:
> This post should probably have gone to SF-PenTests, but since it is more
> of a discussion item, I thought about Full Disclosure, the list for vuln
> info and everything else :)
>
>
> Anyhow, I noticed that certain vulnerability scans, for example scans
> using Nikto and similar tools, when run from a Comcast address show a
> different behavior than when they are run from a clear, uncontrolled
> Internet connection (i.e. corporate T-3). In fact, it appears like
> Comcast has an Inline-IDS (some call it an IPS ;) sitting on its wires,
> filtering out certain signatures and blocking subsequent access for a
> short period of time. For example, scan progresses, then hangs
> inexplicably, then resumes, trips a sig, and hangs again. At the same
> time, the same scan from a non-Comcast address continues without any
> hick-ups. Targets have been ruled out (up and running, verified at the
> same time from different addresses), and connectivity to the rest of the
> net remains. It's looks like just the src-dst address pair is used so
> that all connections from a Comcast src to that particular dst are
> blocked for a short moment (1-5 minutes).
>
> Has anyone else noticed that? Is Comcast actually attempting to keep all
> those worms'n'viruses of their clients away from the Internet?
>
> How many other ISP's are known to use IPS's inline to protect themselves
> from the 'Net, or protect the 'Net from themselves?
>
> Regards,
> Frank (routing all scans via VPN through corporate hosts ;)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?
  - From: Maarten

References:
- [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?
  - From: Frank Knobbe

Prev by Date: Re: [Full-Disclosure] Hey, ya! =))
Next by Date: [Full-Disclosure] Re: Where to start
Previous by thread: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?
Next by thread: Re: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?
Index(es):
- Date
- Thread