Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

Another crazy idea which I am mulling over, very much half-baked, which may or may not be useful and which may already have been done in part or whole, and I have a few questions that people could help me with. Service discovery systems already exist and there is some substantial similarity there with the current idea. One undoubtedly worthy use-case would be as an aid for network traffic analysis and examining the state of the comms subsystem of an o/s.

With DNS, a query mostly has a domain name parameter, returns an IP address and that’s it. There are other types of queries too. I was wondering about a similar service for looking up L4 ports by name or the reverse. You could also have an IP protocol number as an additional parameter and we should have an exceptional value of *. Would be nice to also allow range parameters and sparse multi-range parameters so you could for example query "tell me what TCP ports 20-30 are called" or "on what port numbers is https delivered".

A set of static fixed tables wouldn’t be very interesting. It would basically just end up being a copy of IANA. However something that updated itself dynamically in a situation where ports etc were allocated could be more interesting. I don’t know of a realistic use case like that but perhaps there is one somewhere and I defer to those with more expertise. A reverse lookup of source ports might or might not be useful, I don’t know, and I don’t know how practical it would be to implement such a thing. Software components or processes or apps might register their own friendly names or maybe some o/s has or could have an interface to permit self-description of processes. That would be nice because often an o/s knows what port values are in use by which process and no registration is required. This information might be available a bit too late though as the truth is only revealed when the process accesses the network, and the user might want to query this much earlier.

In the case of QUIC, currently the protocol software component is implemented in a library or bound into a process rather than being in the o/s. QUIC is made acceptable to systems that are suspicious of new protocols by being disguised as a mere arbitrary UDP application. You would expect perhaps in an ideal world that QUIC would have its own IP-proto number allocated. The proposed information-publishing software component would need to somehow interface with QUIC to get information about the allocation and usage of ports etc in QUIC apps. This would not be easy to implement in political and organisational terms.

The biggest challenge would be how to add this to existing systems, I feel.

[Chrysalis]

I got no idea but do know linux already has a naming system for ports where they configured in a file, and so can refer ports via name such as 'http'.

[burakkucat]

I got no idea but do know linux already has a naming system for ports where they configured in a file, . . .

Are you thinking of the /etc/services file?

Code: [Select]

[bcat ~]$ head -n 40 /etc/services
# /etc/services:
# $Id: services 105871
#
# Network services, Internet style
#
# Note that it is presently the policy of IANA to assign a single well-known
# port number for both TCP and UDP; hence, most entries here have two entries
# even if the protocol doesn't support UDP operations.
# Updated from RFC 1700, ``Assigned Numbers'' (October 1994).  Not all ports
# are included, only the more common ones.
#
# The latest IANA port assignments can be gotten from
# http://www.iana.org/assignments/port-numbers
# The Well Known Ports are those from 0 through 1023.
# The Registered Ports are those from 1024 through 49151
# The Dynamic and/or Private Ports are those from 49152 through 65535
#
# Each line describes one service, and is of the form:
#
# service-name  port/protocol  [aliases ...]   [# comment]

tcpmux          1/tcp                           # TCP port service multiplexer
tcpmux          1/udp                           # TCP port service multiplexer
rje             5/tcp                           # Remote Job Entry
rje             5/udp                           # Remote Job Entry
echo            7/tcp
echo            7/udp
discard         9/tcp           sink null
discard         9/udp           sink null
systat          11/tcp          users
systat          11/udp          users
daytime         13/tcp
daytime         13/udp
qotd            17/tcp          quote
qotd            17/udp          quote
msp             18/tcp                          # message send protocol
msp             18/udp                          # message send protocol
chargen         19/tcp          ttytst source
chargen         19/udp          ttyts
ftp-data        20/tcp
[bcat ~]$
. . .
[bcat ~]$ tail -n 40 /etc/services
noclog          5354/udp                        # noclogd with UDP (nocol)
hostmon         5355/tcp                        # hostmon uses TCP (nocol)
hostmon         5355/udp                        # hostmon uses TCP (nocol)
canna           5680/tcp
x11-ssh-offset  6010/tcp                        # SSH X11 forwarding offset
ircd            6667/tcp                        # Internet Relay Chat
ircd            6667/udp                        # Internet Relay Chat
torrent         6881/tcp                        # bittorrent
xfs             7100/tcp                        # X font server
tircproxy       7666/tcp                        # Tircproxy
http-alt        8008/tcp
http-alt        8008/udp
webcache        8080/tcp                        # WWW caching service
webcache        8080/udp                        # WWW caching service
tproxy          8081/tcp                        # Transparent Proxy
tproxy          8081/udp                        # Transparent Proxy
jetdirect       9100/tcp        laserjet hplj   #
mandelspawn     9359/udp        mandelbrot      # network mandelbrot
kamanda         10081/tcp                       # amanda backup services (Kerberos)
kamanda         10081/udp                       # amanda backup services (Kerberos)
amandaidx       10082/tcp                       # amanda backup services
amidxtape       10083/tcp                       # amanda backup services
isdnlog         20011/tcp                       # isdn logging system
isdnlog         20011/udp                       # isdn logging system
vboxd           20012/tcp                       # voice box system
vboxd           20012/udp                       # voice box system
wnn4_Kr         22305/tcp                       # used by the kWnn package
wnn4_Cn         22289/tcp                       # used by the cWnn package
wnn4_Tw         22321/tcp                       # used by the tWnn package
binkp           24554/tcp                       # Binkley
binkp           24554/udp                       # Binkley
asp             27374/tcp                       # Address Search Protocol
asp             27374/udp                       # Address Search Protocol
tfido           60177/tcp                       # Ifmail
tfido           60177/udp                       # Ifmail
fido            60179/tcp                       # Ifmail
fido            60179/udp                       # Ifmail

# Local services

[bcat ~]$


[Chrysalis]

yep, thats the one.

[Weaver]

The crazy idea here would be to give out information beyond standard fixed port name / numbering, and other numbers not just ports, where services are using one or more non-standard ports. For example our own mr johnson has written code for my ZyXEL modems that implements a second http server, listening on port 8000. So my crazy info publishing service would tell you that http is available not only in the standard ports but also on port 8000. The thought occurs to me that the service name info wouldn’t be useful unless it was multipart with qualifiers, a bit like mime, so perhaps "http":80, "http/johnson-modem-stats-info":8000 - although that’s not a good attempt at syntax, it would be better done in XML or JSON so that it can be structured appropriately. Here’s an attempt:

   <service name="http" protocol="tcp" ip="ipv4">
       <service name="www/ui/modem/zyxel" ports="80" />
       <service name="m2m/modem-stats-info/johnson" ports="8000" />
   </service>

[Alex Atkin UK]

Surely changing the default index to a landing page to choose which one you want would be a lot easier?

[XGS_Is_On]

Think something like the Johnson server is already done. If you go to a server by name it can read the name you requested an IP via and send you there via a redirect.

For example https://stackoverflow.com/questions/34744713/nginx-redirect-http-to-https-with-custom-port-server

You specify the server and where you want traffic to go, it matches on port 80 and then redirects you via an HTTP 301 to what you actually asked for.

Other than that the prefixes we place in front of requests match well-known ports. When we aren't using well-known ports it's usually for a good reason and we don't actually want to advertise the fact.

I have the odd open SSH service that almost anyone can reach but it absolutely doesn't live on port 22. It also doesn't respond to anything .ru or .cn

[Alex Atkin UK]

It also doesn't respond to anything .ru or .cn

That's my main use of pfBlockerNG, to blacklist incoming connections from iffy countries.  The amount of hacking attempts that suddenly vanished from the server logs was really eye opening.  I never got round to switching SSH from the standard port though.

[Chrysalis]

Most of my bot incoming are from America in logs.

Changing SSH port worked great for years but starting from about a year ago they have finally learnt to start port scanning, so its not that effective anymore, I do now have strict IP requirements as a consequence.  Typically just whitelisting the countries admin's need to access is enough but of course full IP lockdown preferred if using static IP's.

[XGS_Is_On]

Firewall rule puts a stop to scanning. No remote machine has any place opening any more than a couple of connections to different ports simultaneously. More than 5 connections to different ports = remote machine blacklisted and everything silently dropped.

[Weaver]

Alex, I should have said that the Johnson server is both human readable and has a machine readable, m2m, API as well. I forgot to say that my crazy idea has to be m2m (only). It’s an API, and it’s on top of a database, and in general the database is dynamic and could cover a growing range of hosts and groups of services.

So a landing page while useful is not in scope for my crazy idea. And I only thought about the johnson server because it was the first example that came to mind of a server offering services on several ports.

[craigski]

Weaver, what you are describing sounds to me like mDNS/UPnP/SSDP on a local home network, where devices announce what services they are running to the 'trusted' devices on the local network.

Is the question about extending this functionality across networks, if so would it be a good thing from a security point of view, to advertise your 'services' to a wider audience?

[Weaver]

@craigski - You’re right. For some sysadmins there ought to be request filtering and ACLs. And a system of please can I ask to be allowed to query? / or to join a user-group. It would be best if a spec for such were kept modular and split into at least those three parts: main database and protocol spec, plus ACLs definition, plus query interface and usergroups definition.

Some of the information would not be system-specific. Such as general IANA info publishing which is automatically updated and has caching and version numbering. In fact one could abuse the DNS to do all the work by creating structured DNS pseudo-entries. The nonsense required to handle such encoding and decoding would make access protocols very inefficient, but perhaps you could let DNS do just the distribution, caching and updating and have a separate, more compact query interface that works by having a convertor service in the middle to hide the DNS format and querying.

SSDP is definitely relevant to this. And so are various specs for getting info at L2.

I definitely think that IP protocol numbers should be covered because I’m not aware of anything that handles this currently, but what do I know.

[XGS_Is_On]

Think there's no lookup for IP protocol for the same reason as there isn't with ports. DNS can already provide MX records, no need why this couldn't be extended, however it's legit to open unsolicited email connections to a domain, it's not so legit to open unsolicited IPSEC connections: if you've business connecting like this you should know the VPN endpoints. I can't actually think of anything of the top of my head that involves a random entity needing to lookup available services that don't use 17 or 6.

For services like web easier for a client to spray a connection via QUIC and TCP:443 simultaneously: no performance overhead there.

[Weaver]

Good point about MX records, an example of extending the system already. Referring back to that XML snippet earlier, the list of alternatives can get quite complex and can be made structured as I have it there or flat and very repetitive. Don’t want to get into worries about length limitations. As far as IP proto numbers go, I really just picked that up as an example of how it should be made very extensible and picked the first number space that came into my head. Multicast-related numbers enumeration might be a more useful example.