michael from spotsylvania

Q: Help please.. IS this normal behavior ?!?

I'm a network engineer and we recently allowed the use of iphones on the business wireless network for testing for possible business deployment.

I received an alarm the other day of LAND Attack.  Further investigation showed in a sniffer capture that all these "Attacks" were from Apple devices on the network. The behavior was very odd.

Client initiated connection to apple. 17. 173.254.222  after 8 attempts it went to 17.173.254.223  source POrt 16403 Desitnation 16384

Apple 17.173.254.222 responds to the client IP address 192.168.100.23 on port 16384 to client on port 16403

apple 17.173.254.223 does the same

This is where is gets interesting.

The client 192.168.100.23 responds not to apple but to its Outside translated address 12.124.1.15 ( not the real ip ) port 16403 bothe sourced and destination.

This generates a LAND attack notification.

apple 17.173.254.223 responds to 192.168.100.23

client sends response to its translated address again.. Another LAND Attack message is generated.

Then 17.173 sends a response to 192.168.100.23

client responds to 17.173.254.223 this time..

 

What the heck is going on ? how is the translated address for this client getting involved this way ? Its not just this one . I have picked off 3000 in the past 24 hours. 

Its almost time to shutdown all apple devices from the network unless I get a handle on this.

 

Any thoughts ??

 

DEVICES SEEN ARE IPHONES MOSTLY AND SOME IPADS

Posted on Jun 1, 2012 10:02 AM

Close

Q: Help please.. IS this normal behavior ?!?

  • All replies
  • Helpful answers

  • by Defcom(UK),

    Defcom(UK) Defcom(UK) Jun 1, 2012 11:02 AM in response to michael from spotsylvania
    Level 6 (15,387 points)
    Jun 1, 2012 11:02 AM in response to michael from spotsylvania

    They look like iChat ports http://support.apple.com/kb/HT1507?viewlocale=en_US&locale=en_US

     

    And Messages beta(new name for iChat in Mountain Lion) and facetime ports http://support.apple.com/kb/HT4245

     

    I would say its the iPhones/iPads using an IM(instant messenger) agent on them.

  • by michael from spotsylvania,

    michael from spotsylvania michael from spotsylvania Jun 1, 2012 11:05 AM in response to Defcom(UK)
    Level 1 (4 points)
    iPhone
    Jun 1, 2012 11:05 AM in response to Defcom(UK)

    That is my conclusion too. but the alarms of a LAND attack initiated because the traffic round the NAT address of the client is raising a red flag.

  • by michael from spotsylvania,

    michael from spotsylvania michael from spotsylvania Jun 1, 2012 12:03 PM in response to Defcom(UK)
    Level 1 (4 points)
    iPhone
    Jun 1, 2012 12:03 PM in response to Defcom(UK)

    If the device were sending traffic to the default gateway of the NAT'd address I could grasp it easier that the device sending to the NAT'd address of the device itself.

  • by Ralph Johns (UK),

    Ralph Johns (UK) Ralph Johns (UK) Jun 1, 2012 1:04 PM in response to michael from spotsylvania
    Level 9 (73,087 points)
    Applications
    Jun 1, 2012 1:04 PM in response to michael from spotsylvania

    Hi,

     

    I have some sampled ports and IPs from Little Snitch

    This is from Using Message Beta on Mac which should be using the same ports and IPs.

     

    Messages itself

    Little Snitch  —  93 rules
    Uploaded with Skitch!

     

     

    IMRemote... is to do with iMessages are far as I can make out

    Little Snitch  —  105 rules
    Uploaded with Skitch!

     

    IMAgent is now seemingly only handling Account Logins

    Little Snitch  —  106 rules
    Uploaded with Skitch!

     

    There is a separate Apple Push Service that is handling some of the iMessage Stuff

    Little Snitch  —  106 rules
    Uploaded with Skitch!

     

     

    I don't have any software to capture the traffic through the router.

    I do have 4 iPhones here in total.

     

     

     


    9:01 PM      Friday; June 1, 2012


    Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

     

      iMac 2.5Ghz 5i 2011 (Lion 10.7.4)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.7.4),

    "Limit the Logs to the Bits above Binary Images."  No, Seriously

  • by Ralph Johns (UK),

    Ralph Johns (UK) Ralph Johns (UK) Jun 1, 2012 1:56 PM in response to Ralph Johns (UK)
    Level 9 (73,087 points)
    Applications
    Jun 1, 2012 1:56 PM in response to Ralph Johns (UK)

    Addition due to issues with Posting.

     

    Defcom and I once helped someone in whose female relative was in New York who was having issues with Video chats in an older version of iChat.

     

    Tracing the issue by the male poster led to finding out the woman's ISP was routing Incoming stuff and Outgoing stuff by different routes to get around a maintenance/Damage cable issue.

     

    This meant that the iChat in use at that time thought it was in "two" places and it needs to be in just one.

     

     

    The client 192.168.100.23 responds not to apple but to its Outside translated address 12.124.1.15 ( not the real ip ) port 16403 bothe sourced and destination.

     

    If this Outside Translated port is your Public IP then part of this would be correct.

     

    I say this as iChat will list in the Connection Doctor on a falied chat the LAN IP and the Public IP that is involved.

     

    Sometimes it can actually be seen in the Failed Log

     

    Video Conference Support Report:

    0.000000 @SIP/Transport.c:2362 type=1 (00000000/0)

    [SIP/2.0 200 OK

     

    Via: SIP/2.0/UDP 66.26.xxx.xxx:16402;branch=z9hG4bK668cf68705ef5e9a

     

    To: 0 <sip:user@lip:16402>;tag=1912370167 To is to lip

     

    From: u0 <sip:user@192.168.11.2:16402>;tag=506858487

     

    Call-ID: 18c8f0e4-c54b-11dc-a8eb-bbeee8514012@192-168-11-2

     

    The previous post with the pics has one that does list my Public IP as part of the process.

     

    I hope this provides some light on the subject.

     

     


    9:56 PM      Friday; June 1, 2012


    Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

     

      iMac 2.5Ghz 5i 2011 (Lion 10.7.4)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.7.4),

    "Limit the Logs to the Bits above Binary Images."  No, Seriously

  • by GFrazier,

    GFrazier GFrazier Jan 23, 2014 10:40 AM in response to michael from spotsylvania
    Level 1 (0 points)
    Jan 23, 2014 10:40 AM in response to michael from spotsylvania

    I know this is an EXTREMELY old question, and you may or may not have found the answer; however, I was running into this same issue.  Two days ago, I checked my log files at the workplace and noticed only MY iphone was sending out multiple udp packets to these IPs - 17. 173.254.222 and 17. 173.254.223.  I have researched it; The port that it sends out of is 16403, destined to port 16385; these ports are TCP/UDP ports for RTP...

    Apple:

    16384-16403 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - connected, - iChat AV (Audio RTP, RTCP; Video RTP, RTCP)

    16384-16387 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - connected, - FaceTime, Game Center

    16393-16402 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - - FaceTime, Game Center

    16403-16472 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - - Game Center

    I noticed when I disconnect from the network and reconnect, the traffic starts again, also, when trying to update my apps, the firewall blocks the connection to those IPs as well, thus blocking the updates.

    What I did was just created some ACLs that were Apple specific, allowing traffic through various ports that the iPhone uses - it put an end to the firewall blocking and logging the traffic. Below is a link for the ports.

    http://support.apple.com/kb/ts1629

  • by Ralph Johns (UK),

    Ralph Johns (UK) Ralph Johns (UK) Jan 23, 2014 12:37 PM in response to GFrazier
    Level 9 (73,087 points)
    Applications
    Jan 23, 2014 12:37 PM in response to GFrazier

    Hi,

     

    Originally (iChat 3 and earlier) ichat would send an Invite request on port 5678 using UDP.

    It then moved to Port 5060 to repeat the invite using the SIP protocol.

    The actual AV chat then used 4 ports starting at 16384 as first choice.

    The Document Apple produced then suggested 20 ports should be allowed. (plus another 10 for connection purposes fro the various Accounts)

    See http://support.apple.com/kb/HT1507

     

    iChat 4 and later (including Messages) moved the SIP invite and Connection process to port 16402 as first choice.

    Video and Audio Chat also then use one port rather than the earlier Vid In, Vid Out, Audio In, Audio Out 4 port method.

    The first choice for this remains 16402.

    Apple did have a Document for this that listed just 10 ports (16939-160420) which in inside the "group of 20 Ports" from the earlier versions (16384-146403)

     

    When iMessages an Facetime came out Apple produced this Document http://support.apple.com/kb/HT4245

    This again highlights the Video ports that FaceTime uses  which in fact seem to line up with the iChat ones.

    However it seems the two apps use different protocols for doing the two types of Video.

     

    Although the AIM, Jabber and Bonjour account in Messages can use the "iChat Style" video none of the other accounts can.

    The iMessages one can invoke the FaceTime app though.

     

    Apple do claim that Video/Video connections are dynamic in later versions of iChat and in Messages.

    I.e. the Ports listed in the tables are not always followed through on routing the connection across the Internet.

     

     

     

     

    3Sigcopy2.png

    8:37 pm      Thursday; January 23, 2014

     

      iMac 2.5Ghz 5i 2011 (Mavericks 10.9)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.6.8),
     Couple of iPhones and an iPad