unforum

[rose]

[update?] 5/08 posts on SO about huge bandwidth

[danteIL]

Summarizing

[Rogi Ocnorb]

It's odd that the text repeats in it's entireity, 170 169 times, with no truncation, before the error. That would make me think the same process that is generating the message is also halting itself. I guess that's supported by the "choraz" component of the error message. If the process is a port hunter, it could be set-up to try ports, that way. But why 170 times?

EDIT: Occultus is correct. It's 169 times. I see why it works out from a looping perspective, but still don't see how it works as part of an attack vector methodology. The total text with the initial line is 130,819 bytes or 130,637 bytes without it. One more iteration of the message would make the lengths 131,592 and 131,410, respectively. So it could be a limit of 131,072 (128k) for the variable in play.

[Occultus]

13 * 13 = 169
Maybe the 170th triggers an out of bounds error.

[danteIL]

[tipsila]

Just a thought on the number 13 -- the CL messages have been in batches of 13 - except for the initial post. So far there have been 9 groups of 13. So should we expect 4 more rounds of 13 posts?

[Occultus]

Copied here for anyone that doesn't read the SentryOutpost forums:

---

Ok - progress report:

Port: 5217

From connection you get about 2 seconds to send:

Xé:3a

The number on door 1217 from this dream:

If you type that in before it disconnects you then you are in.

The auth count on port 1313 goes up by 1.

Then over a period of about 2 minutes (no matter what I tried typing in the mean time - including nothing) the service tries to connect to your PC via telnet. On the 10th connection attempt it sends the same text before and crashes out with the same error.

Until I sent:

Yogh Sothoth

If you send that within the 2 minute window then the connection attempts stop and you get about 20 minutes connected before the session closes.

During the time I was connected (tried it a couple of times to make sure, and connected two sessions in and verified that the auth count went to 2) I tried everything I could think of to get a reaction:

Full text that 5217 spits out
some unix commands
some dos commands
1217, 1313, 1031
and various other things, including a conversation and running commentary with the listener

Nothing.

I also tried connecting to 1031 at the same time to see if it opened up to my IP while connected on 5217 - nothing.

I'll have another go later, there's probably a 3rd level of the login process to find yet.

[rose]

Looks like some kind of experiment in opening ports and connections is going on...not that i understand it at all:

Occulus wrote:
.

[danteIL]

[rose]

I don't understand it all so I was just copying and pasting the text -which isn't helpful.

The whole thread on Sentry Outpost is about the bandwidth but the last few pages are the most relevant. I would start from the end and work back.

It does say somewhere that 3 connections work.

EDIT: Fixed URL. --Phaedra

[Rogi Ocnorb]

I'm seeing no rise to 100% on 1313 till I have six windows open, but, just as DanteIL points out, the timeout is about 2 minutes and they all start closing in the order opened.

[rose]

Also, I didn't see this posted here anywhere. This post came before the Occulus posts above

Varin wrote:

[rose]

Sorry, I can't answer your questions. I may have missed something that I copied. In the meantime you might post on SO or look through that thread for an answer.

[danteIL]

[Occultus]