Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Technical Support

Reply
Thread Tools Search this Thread Display Modes
Old 19th August 2002, 08:27   #1
mlstolk
Junior Member
 
Join Date: Aug 2002
Posts: 6
[Bug??] DOS attack by shoutcast? Stream continues without player or request

Hi,

I've a rather strange problem. Since yesterday I noticed a strange continuously up and downstream. Upload of exactly 2.0kB/s and down of exactly 2.7kB/s on my ADSL connection.
I didn't panic at the time and thought it would be over when I resetted my server... -> No, it stayed.
I've disconnected all my clients... which sometimes have winamp with shoutcast open and shutted down my server and ADSL modem overnight.
I booted this morning and when I came online (without any clients, and my server definitely don't have winamp etc. installed), and the stream came automatically up again!!

I know that the stream comes from shoutcast.com, because I've captured the TCP traffic. I also know that it is NOT requested by MY SIDE, because when I come online, the first packet that arrives is from YOUR IP 205.188.242.162 (I think it's your's, it is of digitally imported).

Here is a copy and paste from the traffic I've captured:
code:

IP 10.0.0.138 > ntserver: gre [KSv1] ID:0000 S:9 ppp: IP 44: IP 205.188.242.162.80 > ntserver.1889: . ack 2098780331 win 4096
0x0000 4500 004c 7128 0000 402f f43b 0a00 008a E..Lq(..@/.;....
0x0010 0a00 0096 3001 880b 002c 0000 0000 0009 ....0....,......
0x0020 ff03 0021 4500 0028 93c5 0000 2d06 0c2b ...!E..(....-..+
0x0030 cdbc f2a2 d554 582c 0050 0761 b83e c698 .....TX,.P.a.>..
0x0040 7d18 d8ab 5010 1000 d5a7 0000 }...P.......


I've uploaded a big piece of the capture on http://www.xs4all.nl/~internal/shoutcap.txt , there you can see that the traffic is instantiated by your side.

And this continues unlimited in time @ 2k down and 2k up as acknowledges??
10.0.0.138 is my PPTP tunnel to my modem.
Ntserver is my local name of my machine
Internal.xs4all.nl is my DNS entry and 213.84.88.44 is my public IP address.

I listen often to your streams, so it would not be a nice option to complete cut your access to my IP.
I hope you can reset the connection though.

Please help

Grz.
Martin

Last edited by mlstolk; 19th August 2002 at 09:12.
mlstolk is offline   Reply With Quote
Old 19th August 2002, 08:38   #2
mlstolk
Junior Member
 
Join Date: Aug 2002
Posts: 6
Not a player installed on the server

For the sake of clearity:

My server was the only computer connected to the internet and it does NOT have a Winamp or other shoutcast player installed...
Extra: i've made a screenshot of DUMeter (total time displayed is about 5 minutes, but it continues inifinitely as I told). Here you can see how continuously, without gaps etc. the data flow is:
http://www.xs4all.nl/~internal/shoutcap.gif

Last edited by mlstolk; 19th August 2002 at 09:04.
mlstolk is offline   Reply With Quote
Old 19th August 2002, 11:29   #3
Jay
Moderator Alumni
 
Jay's Avatar
 
Join Date: May 2000
Location: Next Door
Posts: 8,942
could you post a log from your shoutcast server please?
Jay is offline   Reply With Quote
Old 19th August 2002, 17:49   #4
TreadHead
Junior Member
 
Join Date: Aug 2002
Location: Jacksonville, FL. USA
Posts: 7
??

digitally imported is a broadcaster using Shoutcast.. I'd need to see a little more info than is provided. Do you have any sniffer traces/captures?
TreadHead is offline   Reply With Quote
Old 19th August 2002, 18:41   #5
mlstolk
Junior Member
 
Join Date: Aug 2002
Posts: 6
I think the problem is solved... Again I've shutted down my internet connection for some hours and I've now reestablished the connection.
And: 10 minutes without the strange up/down!

The extra info the post above requested can be found under the links (also in the text above).

http://www.xs4all.nl/~internal/shoutcap.txt
and
http://www.xs4all.nl/~internal/shoutcap.gif
mlstolk is offline   Reply With Quote
Old 19th August 2002, 20:05   #6
TreadHead
Junior Member
 
Join Date: Aug 2002
Location: Jacksonville, FL. USA
Posts: 7
AOL

That IP is an AOL IP.... Darn AOL users Looks like they were trying to broadcast via your server, maybe?? Not too sure but then I'm just a newbie at this. But if you type the ip in your browser it tries to load a SHOUTcast resource so they are definitely running the SC Server.. My guess is they were broadcasting via your public server and kept trying to reconnect everytime you brought yours back up.. What do you think?

Listen!!!

My brief research follows:

http://205.188.242.162 >>>>>
ICY 404 Resource Not Found icy-notice1:SHOUTcast Distributed Network Audio Server/posix v1.8.1
icy-notice2:The resource requested was not found


=========================================
whois whois.arin.net 205.188.242.162:

America Online, Inc (NETBLK-AOL-DTC)
22080 Pacific Blvd
Sterling, VA 20166
US

Netname: AOL-DTC
Netblock: 205.188.0.0 - 205.188.255.255

Coordinator:
America Online, Inc. (AOL-NOC-ARIN) domains@aol.net
703-265-4670

Domain System inverse mapping provided by:

DNS-01.NS.AOL.COM 152.163.159.232
DNS-02.NS.AOL.COM 205.188.157.232

Record last updated on 27-Apr-1998.
Database last updated on 18-Aug-2002 20:00:11 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
TreadHead is offline   Reply With Quote
Old 19th August 2002, 21:28   #7
mlstolk
Junior Member
 
Join Date: Aug 2002
Posts: 6
Could be they were trying to user my server to broadcast, but I don’t have a shoutcast server installed or running.
In that case they were trying very hard to determine if my server was online, because it was just a matter of seconds when my server came online and the stream reoccurred.

The thing with the IP 205.188.242.162 is that Digitally Imported uses this server to broadcast their “D I G I T A L L Y - I M P O R T E D - European Trance, Techno, Hi-NRG... we can`t define it!”“ stream.
Listed as first or second item on http://www.shoutcast.com

If I launch that stream with Winamp, it says: connecting http://205.188.242.162 so maybe DI is hosted on a AOL account?

I’m confused if DI is trying to abuse my server (with no shoutcast entry on it). DI is the most populair internet radio channel (as far as I know), and I don’t think they are doing crappy stuff like this.

Maybe it’s just a router/server failure at their side :S
mlstolk is offline   Reply With Quote
Old 20th August 2002, 00:04   #8
TreadHead
Junior Member
 
Join Date: Aug 2002
Location: Jacksonville, FL. USA
Posts: 7
HEHEH

Well, after looking at the facts, I would say it is indeed DI (I can't explain why though) but on an AOL Server. On the DI website I was reading the FAQ'a and it mentions that 1/2 of thier bandwidth is provided by Intellispace, and the other 1/2 they are not authorised to talk about yet.

Hmm, AOL..Parent Company of Nullsoft... DI streaming on AOL bandwidth.. DI is THE Internet Radio station.. utilizing Nullsoft's SHOUTcast technology. Looks like 1/2 of DI's bandwidth is provided by who???
TreadHead is offline   Reply With Quote
Old 20th August 2002, 03:58   #9
Jay
Moderator Alumni
 
Jay's Avatar
 
Join Date: May 2000
Location: Next Door
Posts: 8,942
i don't really think it is any secret that DI is hosted on AOL test servers, there are quite a few broadcaster who are. As for as this DoS or attack business I think that you are mistaken because if you are just a listener shoutcast has no reason to hit you nor download or upload to you, unless you are listening to the stream. What were you using to listen to his stream?
Jay is offline   Reply With Quote
Old 20th August 2002, 07:48   #10
mlstolk
Junior Member
 
Join Date: Aug 2002
Posts: 6
I was using Winamp 2.80.
I sometimes listen to the we can't define it stream or Wolf FM (I believe it's also hosted on that server). But i'm sure this 2k up/down stream is NOT my fault and is NOT due to a player or any kind of program I had running. Of cource, it could have set up the strage stream, but the termination is server sided.
As I said: I think the server or router has a little flaw in it.
mlstolk is offline   Reply With Quote
Old 20th August 2002, 09:04   #11
Jay
Moderator Alumni
 
Jay's Avatar
 
Join Date: May 2000
Location: Next Door
Posts: 8,942
I never said it was your fault I just think you are mistaken that this is a problem at the shoutcast server. I just have a hard time believing a stream of data can be sent to you without some application on your end doing the recieving/sending. Check your process list and next time it happens start killing stuff until the mysterious usage disappears. Another thing, I have noticed that in some network traffic meters they can be mistaken about the actual traffic usage. It happens on various NIC/WAP devices to me all the time. Some monitors are just not written as well as others.
Jay is offline   Reply With Quote
Old 20th August 2002, 09:49   #12
mlstolk
Junior Member
 
Join Date: Aug 2002
Posts: 6
No I have already tried to kill every process and, as I said, the stream was initiated(!) by the remote side (see my dumps).
The dump confirms there _is_ actually a data stream and it's not a flaw of the D/U-Meter

But I have the answer
I mailed Ari Shohat from DI and this is his response (it acknowleges my 'little investigation' results and feelings) : It's a bug in the (AOL) Shoutcast system.

Quote:
Hi Martin, that is very very interesting. The IP (205.188.242.162) and anything 205.188 is from Shoutcast/AOL, they provide servers on that range. So I don't control those really, and I have no idea what is going on here. 2-3Kb/s I can't imagine what could be going in and out.
----- Next mail ----
Hi, they said it could be from their new Ultravox system (the ip : port that you listed to from). They rebooted it recently, so that's when it possibly stopped. It's a bug, they said they've seen it before, so they keep improving it. Basically, they give a lot of bandwidth and hope this way they will improve the system. I am quite sure nobody is spying or anything, just hoping they fix it soon.
So I hope they solved the issue now, and I am happy and relieved again

Thanks all!
mlstolk is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump