Tuesday, February 21, 2006

Don't mess with my net connection!

Alert: Technical rant coming up.

They say Hell hath no fury like a woman scorned, but I don't think they compared it with a CS postgrad who had his internet connection summarily disabled by the network administrator. That too, for no good reason.

Fedora Core 5 Test release 3 has just been released, and I was looking around the Fedora mirrors to download it. The problem with FC is that not all mirrors keep test releases, and even when they do, they keep CD images. While installing every new test release of Fedora is my idea of fun, the idea of burning 5 CDs every time is not. So I was browsing through a number of ftp site directories to see if any had the DVD image and suddenly, without any warning, out of the blue, I get the SMOD - the security mail of death from the network people. In short, it says, "Your computer has been administratively disabled due to excessive TCP port scanning". I couldn't believe it. I'm running FC4 and running absolutely nothing beyond the usual programs. I've received idiotic security warnings before, and it'll take me more than the sysadmins to make me believe I've got a worm on my machine.

So I go down to the helpdesk. There I am made to wait while the network guy pulls up my records and shows me Exhibit A - my computer, apparently had been trying to establish connections on multiple ports on some servers within a short span of time (for each server, I could see around 5-6 TCP ports on which connections were established rather quickly), registering it as a TCP portscan offense. I asked the admin guy to lookup the IP addresses - they turned out to be all Fedora mirrors. I assured him I had been doing nothing other than looking around for the DVD image. He was still suspicious but enabled my computer again. Phew.

Now I don't know the first thing about networking, so I found some descriptions of the FTP protocol (courtesy AC's, network security expertise) and found out that port 21 is only the command port of FTP, and a data port is assigned randomly for a transaction. And since it is assigned randomly, its seemed quite possible that browsing directories would result in sending packets to different ports.

So I decided to test the theory and ran tcpdump while browsing an FTP server directory. The result? Exhibit B - the partial output of tcpdump:
14:56:46.362982 IP localhost.51939 > linux.nssl.noaa.gov.ftp:
14:56:57.985858 IP localhost.51940 > linux.nssl.noaa.gov.50081:
14:56:58.796223 IP localhost.51941 > linux.nssl.noaa.gov.60070:
14:57:03.518263 IP localhost.51943 > linux.nssl.noaa.gov.56276:
14:57:04.569114 IP localhost.51944 > linux.nssl.noaa.gov.54505:
14:57:11.413372 IP localhost.51945 > linux.nssl.noaa.gov.50827:
14:57:12.437386 IP localhost.51946 > linux.nssl.noaa.gov.50061:
14:57:15.358883 IP localhost.51947 > linux.nssl.noaa.gov.51742:
14:57:16.373010 IP localhost.51948 > linux.nssl.noaa.gov.57000:

9 different TCP ports connected to in 30 seconds, only one of them (the first one) being port 21. I tried this on a different machine than the one which was disabled, and so I can be quite sure that both the systems are not infected by something. So it seems one can't browse FTP directories without the risk of being labeled a hacker. God help us all. The sysadmins are going to hear from me.