This application for monitoring black holes relies on monitoring traffic that does not seem to make any sense, but that still appears to reach a specific destination. To better illustrate the problem, allow me this digression.
In 1999, a group of friends, colleagues in Poland, and I began a humble after-hours project. Our goals were to track down a hard-to-explain set of RST+ACK packets that we had noticed arriving at networks we maintained and to monitor unusual and unsolicited traffic patterns arriving at unused network segments in general. It was great fun, and, as you might imagine, it resulted in a good deal of speculation when we tried to reasonably explain some of the most unusual cases. Our research also enabled us to learn more about the world around us as we encountered some exceedingly bizarre and seemingly inexplicable traffic that, once properly analyzed, provided more insight into the vast conspiraces of our wired world.
Although formally abandoned, this project ended up in my private “Museum of Broken Packets,”[115] a semihumorous web page dedicated to tracking down, documenting, and explaining packets that should never have reached their destination or that should never have looked the way they did. The stated purpose of the museum was as follows:
The purpose of this museum is to provide a shelter for strange, unwanted, malformed packets—abandoned and doomed freaks of nature—as we, mere mortals, meet them on the twisted paths of our grand journey called life. Our exhibits—or, if you wish, inhabitants—are often just a shadow of what they used to be before they met a hostile, faulty router. Some of them were born deformed in the depth of a broken IP stack implementation. Others were normal packets, just like their friends (you or me), but got lost looking for the ultimate meaning of their existence and arrived where we should never have seen them. In every case, we try to discover the unique history of each packet’s life, and to help you understand how difficult it is to be a sole messenger in the hostile universe of bits and bytes.
And this is what the last type of black-hole monitoring boils down to. Although the task can appear pointless at first, it is foolish to assume so. The museum made it possible to passively uncover dark secrets about various proprietary devices and well-protected networks, and running such an experiment elsewhere would undoubtedly result in the same or greater accomplishments.
Some of the exhibits in my museum include marvels such as the following:
Packets originating from networks with a specific type of web accelerator, router, or firewall; the device appends, strips, or otherwise mangles some of the data. A good example is a flaw in certain Nortel CVX devices that is responsible for the occasional stripping of TCP headers from packets (as discussed in Chapter 11). The uniqueness of this flaw enables us to learn a good deal about a number of remote networks without having to actually go out and probe them.
Several line noise exhibits, showing packets containing either utter garbage or data that certainly did not belong to a specific connection. One of the most surprising exhibits is unsolicited traffic containing data that appears to be a dump of .de DNS zone contents (a listing of all domains in Germany). The traffic could not have originated just anywhere, because mere mortals have no rights to obtain such a list. Instead, it must have originated at an authorized party able to obtain and transfer this data and must have been mangled either by the sender or by a device somewhere along the way. Although all cases shed little light on the nature of mishaps on the network, cases such as this one often enrich the observer with unexpected—and often valuable—findings.
Other noteworthy exhibits included cases of apparent espionage camouflaged to appear as regular traffic and many other coding or networking hiccups. But enough bragging—if you feel compelled to find out more, visit http://lcamtuf.coredump.cx/mobp/.