I'm looking for help (again) if you can spare a minute.
This morning, my home ISP sent me a 'security note'. Apparently another subscriber had complained about port scans that were, apparently, originating from my cable modem. My cable modem is attached to a wireless router, which has up to three machines running Mac OS 10.3.x and one machine running Win 98 on it.
A snippet of the complaining customer's firewall log had this information:
Ping of Death Detect src:24.57.191.44:47964 dst:224.0.0.251:50427 Packet Dropped Jul/14/2004 19:53:21
Ping of Death Detect src:24.57.191.44:47964 dst:224.0.0.251:50427 Packet Dropped
Ping of Death Detect src:24.57.191.44:47964 dst:224.0.0.251:50427 Packet Dropped Jul/14/2004 19:31:12
Now about that time of the day, I was listening to someone else's playlist via iTunes. So here's the working theory I had on this to my ISP:
The latest version of Apple's iTunes product has the ability for a user to share audio files. A user opens the preferences pane within the iTunes application and then selects the “Sharing” tab.
At that point, a user can choose to share all or selected playlists of his or her iTunes music library. A user may also select a radio button to automatically have iTunes seek out and identify other users on a given network who are sharing their music libraries.
One of my Macintosh machines is configured to seek out and automatically identify other users on a network are sharing their music libraries and, in fact, iTunes on my machine routinely discovers other users (on my ISPs network) who are sharing their iTunes library.
From time to time, I will select a playlist from one of these users and play their music. This music is streamed from the remote machine to my machine.
Perhaps this automatic discovery of other iTunes playlists and my own machines broadcast that a playlist is available to share with others is what is triggering your port-scanning investigation.
So my questions, dear blog readers, are this:
1. How do I determine if, in fact, any of machines are port-scanning?
2. How would I figure out if I am, indeed, broadcasting the Ping of Death?
3. What do you think of my iTunes theory? Does iTunes cause big honkin' oversize packets to be transmitted?
Any and all theories welcomed, by private e-mail or in the comments here.
David, I would think it is unlikely to be iTunes. I believe iTunes works on port 3386 (and maybe another port) for sharing and the like. I just did a quick google search but you might want to check iTunes help to see what ports it uses for sure. I'm away from my OSX box at the moment but can verify tonight.
The trace shown above is going out from you box on port 47964 which doesn't sound like an iTunes thing.
The network security folks at my ISP received another complaint that was similar to the complaint associated with my IP numbers. This time, though, the ISP's security people had a few more clues to work with and may have come upon the problem. They were kind enough to send me this note to keep me updated:
Well, I'm going to have to say again that this is unlikely to be Rendezvous in this case. I'm not an expert in Rendezvous by any means but from how I understand it working it wouldn't necessarily make connections on certain ports (as your “ping of death” description describes). Its simply a discovery protocol and sends out broadcasts rather than specifically connecting to a port on anther machine. Also Rendezvous is meant to work on a local network I believe and not likely going to get past your router.
I see by your IP address that your ISP is
RogersCogeco. Probably not much different than Rogers. The networking folks there are unlikely to have any clue what this is and unlikely to be able to diagnose it either. That is just my opinion with my experience trying to resolve a problem with Rogers for the last two and a half years. BTW, if you want to do a story on Rogers (and Futureway) and the monopoly they managed to get themselves into in my area just let me know (for more info see this).What you could do on your MACs is run a network trace on each of them continuously. The next time they report that this is happening you'll know if it is one of your MACs or not. If I had to guess it is probably a trojan/virus on your Windows PC.
To run a network trace on your MACs do the following:
1. Open a terminal window.
2. Type “sudo su” and enter the administrator password.
3. Type “tcpdump -v src port 47964”
If there is any traffic whatsoever generated from that MAC on that specific port you will see the details displayed. I've been running this on my MAC here and see nothing happening. I suspect if Rendezvous was sending out anything on that port I'd see it by now.
I can get into more details here on whether you can potentially see traffic from all 3 MACs from the single MAC etc. but it all depends on your network etc. Best to contact me if you want to chat about it.
Rendezvous and mDNS probably are the culprit – they send out packets to the multicast address 224.0.0.251. The outgoing port is probably irrelevant as I imagine it will just use the next available sequential port to send data out on. A router may be set to block multicast traffic, but it may just be set to forward it on – its unlikely it will get far on the net as there aren't working standards (that im aware of) for multicasting over the internet yet – but it may get as far as another ADSL/Cable user on the same network segment.
There are methods to disable mDNS and Rendezvous on 10.3, but I have not found one that conclusively works yet. Apparently any GUI methods to disable it are red herrings.