User login

Sneaking Past the Firewall Paper Addendum

17

Aug

2016

A short paper by myself, JP Möller and Richard Nelson titled "Sneaking Past the Firewall: Quantifying the Unexpected Traffic on Major TCP and UDP Ports" has been accepted for publication at this year's upcoming IMC. We'll post the final version of the paper once I've finished making the final revisions, but feel free to get in touch if you want a sneak peek.

As part of this research, we spent a lot of time investigating traffic on TCP and UDP ports 53, 80, 443, 8080 and 8000 that did not match the 'expected' application protocol for that port. At the outset of this work, the vast majority of the traffic was unable to be identified by libprotoident so we ended up adding or improving quite a few libprotoident rules. Our reviewers were particularly interested in the new rules that we created but space limitations in the paper itself mean that we are unable to include a lot of detail about the new rule developments in the text.

Therefore, this page is intended to serve as an addendum to the published paper by explicitly stating which protocols were identified as a result of the research paper and provide links to the source code in libprotoident where the new rules are defined.

Entirely New Applications (21)

  • 360.cn: the purpose of this protocol is not entirely clear but the remote hosts involved are typically owned by 360.cn (a Chinese antivirus company).

  • 360 Safeguard: update protocol used by 360 Safeguard, a Chinese antivirus.

  • Airdroid: Application for remotely controlling Android devices from a desktop computer.

  • Bad Baidu: Strange behaviour observed on hosts with the Baidu web browser installed. Appears to be some sort of phone-home protocol, but manages to blatantly violate TCP specs in the process.

  • Dianping: Chinese online-shopping and establishment rating smartphone app. Also has a UDP protocol.

  • Kakao: Korean messaging and chat for smartphones.

  • Kankan: Chinese Video streaming service. Also has a UDP protocol.

  • Kuaibo: Chinese Video streaming service.

  • Kugou: Chinese Music streaming service.

  • Norton Backup: Backup and recovery service run by Norton, better known for their antivirus products.

  • QQ Download: File downloading software created by Tencent, who are also behind the popular Chinese messaging tool, QQ.

  • QQ PC Manager: Anti-malware software created by Tencent.

  • Telegram: Cloud-based messaging service with an emphasis on security.

  • Tensafe: Anti-cheating software that is integrated with major online games published by Tencent in China (such as Blade and Soul).

  • Weibo: Chinese microblogging service.

  • Wolfenstein: Enemy Territory: Free online multiplayer game, released in 2003 but still played.

  • Xiami: Chinese Music streaming service, owned by Alibaba.

  • Xunlei JSQ: Game acceleration service from the company behind Xunlei (a.k.a. Thunder).

  • Xunlei VIP: Fast download service for VIP users of Xunlei (Thunder), which pulls cached content from Xunlei servers rather than the standard P2P from other Xunlei users.

  • Xunyou: Chinese game acceleration service.

Existing Protocols Improved (10)

  • DNS: Protocol for mapping hostnames to IP addresses. If you're reading this, you should know what DNS is for.

  • Fortinet: Protocol for updating Fortinet network appliances.

  • Kaspersky: Russian security software.

  • NTP: Time synchronisation protocol.

  • QQ: Very popular Chinese instant messaging application.

  • QUIC: Protocol originally developed by Google for transferring streamed content (especially YouTube video) over UDP.

  • Taobao: Chinese online marketplace, similar to Amazon.

  • WeChat: Another popular Chinese messaging application.

  • Xunlei: Also known as Thunder. A Chinese file sharing system which also leverages other P2P technologies, e.g. BitTorrent, eDonkey etc.

  • Youku: Chinese video hosting / streaming service, somewhat analogous to YouTube.