The white paper is not done (too many other projects right now to finish it)
but here is the gist of the traffic patterns. Since I got enough off-list
email expressing interest, it seems appropriate to post it here.
I used a router to block incoming SYN packets to my IP address which blocked
napster traffic from my machine until I changed the client setting to "I
live behind the firewall." At that point, people started downloading from
me again because my client would initiate the SYN. It also doesn't do any
good to block the napster subnet range. While that works 95% of the time,
there are other napster servers out there that do not live in the napster
64.124.41.0 network.
A co-worker is looking at Packet Pup as a way to block napster but we are
kind of unique in that we don't care if students download files but we don't
want to be the main supplier of songs so we want to block downloads from us.
*shugs* any suggestion on that front would appreciated.
-Beth
--------------------------------------------
A normal napster session begins with the following traffic pattern, a normal
3-way handshake to two different servers:
1. the local workstation contacts the napster server
(server.napster.com) - SYN
2. The server responds - SYN/ACK
3. The local workstation acknowledges - ACK
4. The server pushes HTML data to the local workstation (this
is the front page of napster loading). Destination port 80.
5. After the local user clicks the search button on the napster
client, there is another 3-way handshake between the local workstation and
the server (64.124.41.179). Destination port 8888.
6. After you enter a song title/band name to search on, there
are a lot of Echo/Echo reply packets sent. The local workstation will ping
the remote workstations for ping times (you can disable the ping option on
the client).
7. Once you select a song to download, the remote workstation
initiates the 3-way handshake by sending a SYN
8. Local workstation responds - SYN/ACK
9. The remote workstation responds with ACK
10. Once the connection is setup, the data is transferred with 2
packets sent per one acknowledge packet from local workstation. Destination
port is 6699. Interesting enough, the packet sizes are 1460 and 588.
Napster traffic if you check "I live behind a firewall" option on the client
works the following way when downloading a file to local machine:
Same as steps 1-6 above.
1. Once you select a song, the local workstation
initiates the 3-way handshake by sending a SYN packet to remote workstation.
2. The remote workstation responds with SYN/ACK
3. The locate workstation responds with an ACK
4. Once the connection is setup, the data is
transferred with 2 packets sent per one acknowledge packet from local
workstation. The destination port is still 6699 with the same mix of 1460
and 588 packet sizes.
Napster traffic if you check "I live behind a firewall" option on the client
works the following way when downloading a file from local machine:
Steps 1-6 same as above to connect to the napster service.
1. The local workstation send the SYN packet with
destination port 6699
2. The remote workstation responds with SYN/ACK packet.
3. The local workstation responds with an ACK packet.
4. Once the connection is setup, the data is
transferred with 2 packets sent per one acknowledge packet from local
workstation. The destination port is still 6699 with packet sizes about
1414.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
