unknown network traffic

[new user]

I just upgraded to noscript 2.0. When I first launch my browser (Build identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100701 SeaMonkey/2.0.6) I see http traffic going to godaddy.com to do some sort of Online Certificate Statusing. It seems to make a connection every 5 minutes. I have not seen this behavior in previous builds. Is this a new feature? It's definately coming from noscript because the connections stop once I uninstall noscript. Any ideas?

[Giorgio Maone]

I just upgraded to noscript 2.0. When I first launch my browser (Build identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100701 SeaMonkey/2.0.6) I see http traffic going to godaddy.com to do some sort of Online Certificate Statusing. It seems to make a connection every 5 minutes. I have not seen this behavior in previous builds. Is this a new feature? It's definately coming from noscript because the connections stop once I uninstall noscript. Any ideas?

It verifies the SSL certificate for secure.informaction.com, because an anonymous request is made to https://secure.informaction.com/ipecho in order for NoScript to detect and add your WAN IP to the LOCAL address pool.
This is meant to protect you from a new DNS-rebinding attack (which is being presented at Black Hat USA 2010) targeted to the WAN IP, where many flawed routers expose their administrative UI on the LAN side.

However it shouldn't be every 5 minutes, but every 24 hours or so, unless your WAN IP continuously change, you restart the browser, you go offline and then back online or you perform a standby/wake up.
If it consistently pings every 5 minutes, there's definitely some bug related to your network configuration which escaped beta testing.
Could you please run the following script in Tools|Error Console and watch for any [ABE WAN] message appearing there in 5 minutes?

Code: Select all

with(top.opener.noscriptOverlay.ns.wan){fingerprintLogging=true,_periodic(true)};

When you're done, to turn off the logging of the fingerprint found for your router, if any, please run the following script:

Code: Select all

top.opener.noscriptOverlay.ns.wan.fingerprintLogging=false

Thanks.

[therube]

I look to be getting it every 5 (or less) too.

Code: Select all

[ABE WAN] Trying to detect WAN IP...

Code: Select all

[ABE WAN] Detected WAN IP 151.196.246.108

Code: Select all

[ABE WAN] Fingerprint for http://[151.196.246.108] = 200 OK
Date:Wed Jul  :: 
Server:GoAhead-Webs
Last-Modified:Fri Oct  :: 
Content-Length:
Content-Type:text/html

<HTML>
<HEAD>
<TITLE>Verizon</TITLE>
<META http-equiv="PRAGMA" content="NO-CACHE"></META>
</HEAD>
<script language="JavaScript">
function resizeFix()
{
if(document.layers)
{
if(window.innerWidth!=origWidth||window.innerHeight!=origHeight)
{
window.view_frame.location.reload();
}
}
}
var showWacp=-
var theSearch=document.location.search;
var theTag="?wacp=true";
showWacp=theSearch.indexOf(theTag);
</SCRIPT>
<FRAMESET ROWS="*," border= onResize="resizeFix();">
<FRAME SRC="index.asp" name="view_frame">
<FRAME SRC="indexHidden.asp" name="hidden_frame" scrolling="no" noresize>
</FRAMESET>
<!-- Copyright () -  Westell, Inc. -->
</HTML>

Received the last message (initially) two times in relatively quick succession.
Then about 5 minutes later.
And somewhere along the line believe I again received two in relatively quick succession.
Then about 5 minutes later. ...

When you open the modem, it is typical for it to refresh regularly.

(I believe I posted about that indexHidden.asp some time in the past.)

<I think there's a DOS against informaction.>

[new user]

Could you please run the following script in Tools|Error Console and watch for any [ABE WAN] message appearing there in 5 minutes?

Code: Select all

with(top.opener.noscriptOverlay.ns.wan){fingerprintLogging=true,_periodic(true)};

It's absolutely showing up. Maybe part of the problem is that my problem is that my computer is directly connected to the Internet (no router involved) and that I am running a webserver.

[Giorgio Maone]

@therube:
that's the expected output.
NoScript detects your external IP first, then immediately "fingerprints" it.
From then on, every 5 minutes compare the fingerprint with a fresh response from the same IP: if it changes, it assumes you got assigned a new WAN IP and tries to detect it again.

(regarding the DOS: this feature was DOSing informaction.com, but in the end I managed to setup a load balancing across two servers for secure.informaction.com and now it's relatively quiet).

@new user:
you're likely among the few people who may want to disable this feature, since you've got a web server meant to be public on that IP.
Just uncheck NoScript Options|Advanced|ABE|WAN IP ∈ LOCAL.

[FourierSeries]

Thank you for the succinct reply Mr. Maone.

I was quite puzzled as to why, suddenly, various local PCs were tapping our web server at start up & then every 5 minutes thereafter.

Certain that a malware infection was cause I tore into one of them & was utterly surprised when I found that disabling NoScript stopped this behavior. Needless to say it was one of the last things I looked into. Shortly after this discovery I went hunting for an answer & ended up in this thread.

It's an uncommon situation to have a combined gateway / firewall / web server all on one box. I'm aware there are some very good reasons for not setting things up this way. Also shame on me for not paying closer attention to the release notes for the newest version of NoScript.

Anyway - I hope you will find this useful feedback.

Thank you & keep up the good fight!

[Giorgio Maone]

I was quite puzzled as to why, suddenly, various local PCs were tapping our web server at start up & then every 5 minutes thereafter.

You actually gave me a good idea: since currently the fingerprinting request is anonymized just like the external IP detection one by stripping all its headers except Host, to prevent accidental leaking of sensitive info through cookies and/or auth, an administrator looking at the logs may be legitimately puzzled especially if he doesn't know about NoScript or didn't keep up with recent developments. So what about adding to this request an User Agent header like this,

Code: Select all

Mozilla/5.0 (NoScript fingerprinting, see http://noscript.net/abe/wan)

?

[Giorgio Maone]

Furthermore, since log bloating may be a concern in some situations, NoScript could check for a response header like

Code: Select all

X-ABE-Fingerprint: Off

from the fingerprinted web resource and disable the periodic pings if it's found.

[praetor_alpha]

I, too, also noticed this on my own web server logs from the box behind me. Started on Wednesday, and was being pinged from my WAN IP every five minutes, and twice each time.

I was looking at the log in chrome, started Firefox and boom, another session from my local WAN IP. Disabled noscript, restarted manually, and no session. Started Wireshark, filtered port 80: nothing at all without Noscript, some activity with NS and also on port 443.

Blank user-agent, and requests root only.

[FourierSeries]

I was quite puzzled as to why, suddenly, various local PCs were tapping our web server at start up & then every 5 minutes thereafter.

You actually gave me a good idea: since currently the fingerprinting request is anonymized just like the external IP detection one by stripping all its headers except Host, to prevent accidental leaking of sensitive info through cookies and/or auth, an administrator looking at the logs may be legitimately puzzled especially if he doesn't know about NoScript or didn't keep up with recent developments. So what about adding to this request an User Agent header like this,

Code: Select all

Mozilla/5.0 (NoScript fingerprinting, see http://noscript.net/abe/wan)

?

Yes - I agree that's a good idea. That would lead Admin to immediately understand what was going on - or at least lead to a quick Google & be enlightened.

Once again, Thank You!

[Guest]

Loong time NoScript user, many thanks for a wonderful product. This is not a good idea, IMHO.
While I understand the reasons, I'd argue it is easier to start the browser, access router and close browser.
Why not an option to write "by hand" the router(s) ip address(es) in NoScript? After all, NoScript users are above average.
This thing was scary when I first saw it, because NS was the last thing I've expected to do it.
There "should" be some other ways to do this, probably not OS independent unfortunately.
As a comment, one of the reasons why I've dropped Opera is because it does such things (sending unrequested
traffic in/out), and because they don't have NoScript, obviously. Regards,

[ammdispose]

1st of all strange that FF verifies SSL certificate on godaddy over non-SSL URL.

2nd words like fingerprinting and then http://noscript.net/abe/wan redirect to page titled "hack" is going to scare most normal administrators and might even uninstall noscript completely from all computers in office thinking its doing something mischievous.

3rd, I have Squid and OpenDNS, so http://[IP] actually gets redirected to guide.opendns.com somehow. May be squid doesnt support [IP] and tries to resolve it instead.

4th, may be no-ip.com or dnsomatic/opendns or whatismyip.com can be used to detect IP address. They have similar specific URLs to detect IP.

5th, i dont think assuming that everyone uses personal modem is good idea. Some also have ISP who offers LAN based connection, ISP might get annoyed by continuous fingerprinting.(or even SYNs)

I am not sure if its already so, but fingerprinting cud be disabled if server cant be reached on first try i.e. port is closed. Which means attacker cant do anything anyway (atleast on that IP)

May be you can include an option to specify possible WAN IPs as comma separated list of network/netmask (which gets included in LOCAL).

[Giorgio Maone]

1st of all strange that FF verifies SSL certificate on godaddy over non-SSL URL.

Not at all. http://en.wikipedia.org/wiki/Online_Cer ... s_Protocol

2nd words like fingerprinting and then http://noscript.net/abe/wan redirect to page titled "hack" is going to scare most normal administrators and might even uninstall noscript completely from all computers in office thinking its doing something mischievous.

Eh eh, good point. I'm using the http://noscript.net/abe/wan redirect, rather than the direct URL of the article, because I plan to put there a proper documentation page integrated in the ABE sub-site, rather than redirecting indefinitely to the blog. So it's just a temporary redirect (I've got to find the time for this, but will do ASAP).

3rd, I have Squid and OpenDNS, so http://[IP] actually gets redirected to guide.opendns.com somehow. May be squid doesnt support [IP] and tries to resolve it instead.

http://[IP] should work both for IPv6 and IPv4 addresses. However I can change the code to use the brackets only with IPv6 addresses in next dev build, maybe it will help.
Thanks for pointing that out.

4th, may be no-ip.com or dnsomatic/opendns or whatismyip.com can be used to detect IP address. They have similar specific URLs to detect IP.

Unfortunately (?) there are currently millions of NoScript users out there, and I can't just drop the additional traffic (with no ads rewards, BTW, since it's a background request) on the shoulders of a 3rd party. Furthermore, the update wouldn't be accepted by AMO because a change sending HTTP traffic to a 3rd party is against their policies (I double checked with Jorge Villalobos of addons.mozilla.org and discussed a whole week this feature inside the Mozilla Security Group to ensure the current setup is OK).

5th, i dont think assuming that everyone uses personal modem is good idea. Some also have ISP who offers LAN based connection, ISP might get annoyed by continuous fingerprinting.(or even SYNs)

They're not "continuous". They happen every 5 mins in current stable, and 15 mins in current development builds. I believe they're negligible, if compared with the overall traffic generated by the browser (even just with the SafeBrowsing feature or by downloading RSS feeds in the background), and if they're not they can be easily disabled either by the user or by the network administrator with a firewall rule.

I am not sure if its already so, but fingerprinting cud be disabled if server cant be reached on first try i.e. port is closed. Which means attacker cant do anything anyway (atleast on that IP)

It's already this way.

May be you can include an option to specify possible WAN IPs as comma separated list of network/netmask (which gets included in LOCAL).

That's a good idea, indeed.

[ammdispose]

Thanks for all answers and clarifications.

[MalcontentoX]

If a small thread hijack can be forgiven here...
The condition underlying the vulnerability is the default rule in the *router* which lets the router go to the external IP from the LAN.
Nothing in Fx with NS makes the traffic necessary.
What would be a really useful place to complain?
The router manufacturer maybe?

My router manufacturer would've got thanked for the stronger default setup; one dataless attempt and NoScript leaves my router alone for the rest of the session... but they typically *don't* respond to any support/bug requests from me, a home user, so why would I bother.
You could even get the impression that they're happy to leave us home users all hanging out to dry.
Thanks Giorgio heaps.