Michael -- It is unlikely that there is a lot of AOL expertise here on this list (others, please correct me if I am wrong), so the most valuable information to provide here would be a better description of what "users logging into AOL over our high speed internet connections" means ... particularly the "logging in" part.
I just went to www.aol.com and was offered there the option to enter a Screenname and Password, then sign on. Since I'm not an AOL member, I couldn't actually do this, but I poked around enough that I *think* the info is sent over an unencrypted (http, not https) connection. That's a jolly little security hole right there, to answer your question #3 in part. Whether a successful sign on creates additional security holes is unclear, since I can't test that level of access. In any case, I don't know if this is what the users at the offending workstations are doing, and really *you* are the only one in a position to find this out. So ... Are they running some proprietary AOL software that does secret things? (If so, what does sniffing the traffic tell you?) Are they just connecting to an http(s) site and authenticating themselves somehow? (Might this be launching spyware apps or the like?) Are they doing something else? (What?) I do note that you wrote ... >We have been told that, apparently, logging into aol over a lan >connection results in some kind of connection to a special aol network. >I have never used aol and I do not understand this -- hence the first >two questions. ... so please don't reply with one of your "read what I wrote more carefully" responses. Even if you don't know yet, only you are in a position to find out what the users at your client site are actually doing. We're troubleshooters here, not the Psychic Friends Network. As a general matter, if what you are looking for is ONLY someone who has already seen the exact problem you are seeing and knows the exact answer, then what you've sent up to now is fine (and I'm wasting both your and my time by replying), since it is probably enough to find such a person. But in that case, you might do better on an AOL support list than here. And I am certainly not the person whose help you want. If you want help analyzing something that is a new problem to all of us ... then my suggestion above is a good place to start. So are Jeff's suggestions (about reporting the routing table and such on an "offending" workstation when it is "logged in" to AOL). This would probably be a good topic to explore further, either here or on the -devel list, and that is why I am bothering to reply at all. It is (or may be) a concrete, and potentially widespread, instance of a general problem with firewalling ... what is the difference between a tunnel and a hole? If users can run software that punches hard-to-find holes in firewalls (and we know they can, as a general matter), what's a sysadmin to do? But for that sort of discussion to work, you need to be interested enough in exploring the problem with us, not just finding a known answer quickly, to share the sorts of information I mention above and that others have already suggested. Your call. Let me close with one specific response. You wrote: >From the ``ll header'' entries >that accompany each martian, we have identified the mac address of >culprit workstations and determined that they are not dialing out on >modems; but, even if they were, I do not see any change to my >questioning. What is the difference? The difference is that holes caused by dialout workstations are old news, and there is really no way to address this problem at the firewall (except by blocking traffic routed through it with the martians rules, as you are already doing). So it's not really a LEAF issue. If, OTOH, the traffic occurs because users are tunneling through the firewall, it is at least possible in principle to address that at the firewall level. PS. After I finished this reply, I saw your latest response (to Jeff's messqge), in which you write: >It maybe interesting to know that aol installs a special ``adapter'' >that is purported to behave similarly to an hardware nic. In fact, on >win9x, at least, it is next to the nic in network neighborhood >properties and is near identically configured. This certainly suggests to me that AOL is somehow tunneling through your firewall, causing the behaviors you note, and creating the sort of hole that is at least potentially exploitable. When you have access to an offending workstation, perhaps you will be able to tell us if this characteristic applies to the sorts of logins your users are doing or just to AOL's dial-up service. At 10:53 AM 3/9/02 -0600, Michael D. Schleif wrote: > >I am sorry for offending everyone. I will proffer no excuses. I was in >one of my bullheaded moods and acted inappropriately. Again, I am >sorry. > >Is it possible to ask a generic question? > >In general, is it possible to answer my original questions? Since I >don't see this as a setup question -- is it a setup question to you? -- >I asked these questions in the most generic way, hoping to spare >bandwidth. Apparently, I made a mistake. > >I submitted log information -- apparently, that is also inadequate. > >I humble myself to this list: what do we need to know to answer these >questions? > >We have already analyzed the environments in which this happens and it >always happens on internal networks. All of these sites have T1, dsl, >cable, &c. connections to the internet. From the ``ll header'' entries >that accompany each martian, we have identified the mac address of >culprit workstations and determined that they are not dialing out on >modems; but, even if they were, I do not see any change to my >questioning. What is the difference? This only occurs on a small >percentage of workstations; otherwise, all of these networks behave as >we expect. > >We have been told that, apparently, logging into aol over a lan >connection results in some kind of connection to a special aol network. >I have never used aol and I do not understand this -- hence the first >two questions. > >Since this happens on several different networks, if some kind helper >really wants to see all of the setup and configuration information, then >I will comply; but, it will be a very long post. > >Again, I am sorry to be so abrasive. Although, I do not see this as a >setup issue and, therefore, I do not see in the troubleshooting >documents anything applicable to these issues, please, point me to the >information required and I will comply. > >Thank you. > > >"Michael D. Schleif" wrote: >> >> We are seeing martians on internal networks on a regular basis. >> >> Usually, it is traceable to users logging into AOL over our high speed >> internet connections: >> >> 172.128.0.0 - 172.191.255.255 >> >> Today, we saw one from United Airlines: >> >> 205.174.16.0 - 205.174.23.255 >> >> [1] How does this happen? >> >> [2] Why does this happen? >> >> [3] Is this exploitable? -- ------------------------------------"Never tell me the odds!"--- Ray Olszewski -- Han Solo Palo Alto, CA [EMAIL PROTECTED] ---------------------------------------------------------------- _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user