Computer Science Corporation: Buy or Sell?

Computer Science Corporation: Buy or Sell?
The connection refused vulnerability in an IT giant

By Doctor Electron

Preface: President Bush and his computer security appointee Richard Clarke have asked researchers and IT professionals to report possible computer security risks to responsible persons in the governmental or private organizations concerned. Did the President and his staff also ask that the organizations be responsive to such reports?

This preliminary case study shows that much of the structure and function of the Computer Science Corporation network may be revealed by analysis of internet connection refused responses.

Computer Science Corporation (CSC) was found to be unique regarding internet connection refused replies comparing among x/8 (x.0.0.1 to x.255.255.254) [RFC 1519] samples in study of IP address subspaces [1,2]. 20/8 addresses allocated to CSC by IANA were alone in responding primarily with TCP connection refused messages. Internet responses such as these from the CSC network have been classed as a computer security vulnerability [1]. Thus, CSC may be a useful prototype to examine the nature and extent of this vulnerability.

According to its web site, CSC provides IT solutions and among many areas, specifically lists hosting services, information security and IT infrastructure outsourcing. In this light, the major question may be: why does CSC freely hand out to the public rather detailed information about the structure and function of its computer systems, which could be used by hostile parties?

The author tried to contact CSC on behalf of Net Census to elicit any comment or explanation of this phenomenon with emails on 8/10/02 to Peter Gross, listed by ARIN as the responsible person for the 20/8 address range, and on 8/17/02 to Mr. Gross, as well as to "general information," "investor relations," and the CSC public relations officer, listed on their web site. As of this writing, there has been no response.

Buy or sell CSC? Well, the lack of any response might be a sell indicator. The reader might best withhold judgment at least until the results below are presented and several disclaimers are mentioned in the discussion section.

On 8/30/02, Net Census wrote to CSC, "Dear friends: Net Census will assume your lack of response to previous emails indicates lack of interest in the subject matter. This is to notify you that we will be proceeding to publish further detail from studies on the CSC 20/8 prefix as a prototype of the connection refused vulnerability. Best wishes."

The CSC system has the advantage that a large sample of responses can be quickly obtained for statistical analysis. Description of its general features may be instructive for possible study of similar, but smaller networks. Further, network administrators using what might be called the "CSC model" might want to reconsider their positions.

What can we learn from network TCP connection refused (CR) responses? These responses offer four kinds of information: (1) a service port number, (2) the IP address used by a machine in a network, (3) the response time in milliseconds and (4) the percent of addresses in a range issuing CR responses.

Methods and Results

The author wrote most of the software used for data collection, management and analysis.

1. What is the CSC profile for CR responses by port number?

It is well known that the internet interface of popular operating systems may reply to TCP connection requests to ports not offering services with connection refused error packets, which have both the ACK and RST flags set. These responses are generally not dependent on the port number and may be elicited from over one percent of randonly selected IP addresses in a range of 1.0.0.1 to 219.255.255.254 with randomly selected port numbers between 21 and 2000 [3, author, unpublished data]. These responses are thought to reflect unsecured computers without firewalls which might otherwise prevent any response to the lab data collection program. That is, connection requests would time out with no response rather than receive specific CR responses.

The first feature noted in the CSC network is that CR responses are issued to the client program over the internet only for selected port numbers [1], as shown in part in Table 1.
Table 1: CSC Percent CR Responses by Port

Port N %CR SE 21 FTP 22930 23.26 0.28 22 SSH 22975 23.50 0.28 443 HTTPS 24614 23.01 0.27 554 RTSP 22439 23.61 0.28 1463 NUCLEUS 20754 0.02 NA

Legend: Each row represents a random sample of N connection requests in 20/8 address space. %CR, percent connection refused responses. SE, standard error of %CR. RTSP, Real time stream protocol [RFC 1700].

There was no marked difference in CR response rates for ports 21, 22, 443 and 554. The similarity in the response rates suggests that the same machines may be operating these services or at least, emitting these responses. This was confirmed by running each of the four samples of addresses on the other three ports. The nearly one hundred percent response rates in every case confirmed that an address emitting a CR response to one of the four ports -- 21, 22, 443 and 554 -- almost always responded the same to each of the three other ports.

The average CR response rate of 23.36% estimates the percent of 20/8 address space which appears to be occupied by the responding machines. This idea is developed further with information in Table 2 below.

Finally, only 0.02 percent of CSC hardware refuses connections on Nucleus port 1463 [RFC 1700]. Before the reader scoffs at this small percent, consider that 0.02 percent of over 16.6 million addresses (256 x 256 x 254) estimates over 3,300 addresses issuing CR responses for port 1463. The hook for this article referring to an "IT giant" was not kidding. Incidentally, the utility of random sampling as a research method is highlighted as soon as one considers that the population consists of over 16 million addresses.

Randomizing both port numbers and addresses in the 20/8 range, CR responses from other ports have been obtained and may merit detailed attention at a later time.

2. What hosts issue CR packets in CSC address space?
Table 2: 20.y/16 CR responses by address (left) and latency (right)

x.y/16 N Nm msec SEM x.y/16 N Nm msec SEM 20.1 387 1538 1107 3 20.18 390 1559 1099 1 20.2 384 1533 1102 2 20.37 399 1595 1099 2 20.3 355 1417 1103 3 20.60 373 1488 1099 2 20.4 366 1461 1104 3 20.6 377 1504 1100 3 20.5 359 1433 1104 2 20.7 384 1529 1100 1 20.6 377 1504 1100 3 20.15 400 1599 1100 2 20.7 384 1529 1100 1 20.36 357 1427 1100 2 20.8 383 1532 1102 2 20.42 360 1439 1100 1 20.9 353 1412 1103 3 20.63 375 1499 1100 1 20.10 363 1447 1106 3 20.193 60 238 1100 3 20.11 377 1504 1108 4 20.197 375 1497 1100 2 20.12 389 1555 1104 3 20.13 373 1491 1101 3 20.13 373 1491 1101 3 20.43 382 1526 1101 2 20.14 388 1550 1102 2 20.52 381 1523 1101 3 20.15 400 1599 1100 2 20.53 399 1595 1101 2 20.16 398 1591 1107 3 20.61 349 1395 1101 2 20.17 377 1507 1103 3 20.2 384 1533 1102 2 20.18 390 1559 1099 1 20.8 383 1532 1102 2 20.19 354 1414 1103 3 20.14 388 1550 1102 2 20.20 407 1627 1103 3 20.55 388 1551 1102 3 20.21 376 1488 1103 2 20.56 386 1543 1102 2 20.22 384 1534 1105 3 20.195 379 1516 1102 3 20.23 372 1484 1104 3 20.196 357 1425 1102 3 20.24 45 180 1114 13 20.199 387 1547 1102 2 20.31 3 12 1109 20 20.3 355 1417 1103 3 20.32 370 1479 1106 3 20.9 353 1412 1103 3 20.33 378 1510 1103 2 20.17 377 1507 1103 3 20.34 379 1514 1104 3 20.19 354 1414 1103 3 20.35 385 1538 1107 3 20.20 407 1627 1103 3 20.36 357 1427 1100 2 20.21 376 1488 1103 2 20.37 399 1595 1099 2 20.33 378 1510 1103 2 20.38 380 1520 1109 4 20.59 395 1578 1103 2 20.39 377 1507 1111 4 20.4 366 1461 1104 3 20.40 372 1485 1105 1 20.5 359 1433 1104 2 20.41 369 1475 1105 3 20.12 389 1555 1104 3 20.42 360 1439 1100 1 20.23 372 1484 1104 3 20.43 382 1526 1101 2 20.34 379 1514 1104 3 20.44 370 1478 1105 3 20.46 384 1534 1104 2 20.45 348 1388 1105 3 20.48 410 1639 1104 3 20.46 384 1534 1104 2 20.51 399 1593 1104 3 20.47 381 1521 1107 3 20.54 375 1497 1104 3 20.48 410 1639 1104 3 20.57 366 1461 1104 2 20.49 395 1579 1107 4 20.62 351 1402 1104 3 20.50 391 1560 1106 3 20.198 368 1472 1104 3 20.51 399 1593 1104 3 20.22 384 1534 1105 3 20.52 381 1523 1101 3 20.40 372 1485 1105 1 20.53 399 1595 1101 2 20.41 369 1475 1105 3 20.54 375 1497 1104 3 20.44 370 1478 1105 3 20.55 388 1551 1102 3 20.45 348 1388 1105 3 20.56 386 1543 1102 2 20.58 358 1431 1105 3 20.57 366 1461 1104 2 20.10 363 1447 1106 3 20.58 358 1431 1105 3 20.32 370 1479 1106 3 20.59 395 1578 1103 2 20.50 391 1560 1106 3 20.60 373 1488 1099 2 20.134 47 188 1106 4 20.61 349 1395 1101 2 20.1 387 1538 1107 3 20.62 351 1402 1104 3 20.16 398 1591 1107 3 20.63 375 1499 1100 1 20.35 385 1538 1107 3 20.134 47 188 1106 4 20.47 381 1521 1107 3 20.137 2 4 1204 29 20.49 395 1579 1107 4 20.138 1 1 20.11 377 1504 1108 4 20.193 60 238 1100 3 20.31 3 12 1109 20 20.195 379 1516 1102 3 20.38 380 1520 1109 4 20.196 357 1425 1102 3 20.39 377 1507 1111 4 20.197 375 1497 1100 2 20.24 45 180 1114 13 20.198 368 1472 1104 3 20.137 2 4 1204 29 20.199 387 1547 1102 2 20.138 1 1 Total 22802

Legend: x.y/16, all IP addresses from 20.y.0.1 to 20.y.255.254. N, number of CR responses. Nm, number of response time measurements in milliseconds (msec). SEM, standard error of the mean msec (rounded up).

(a) 20.1 - 20.24, (b) 20.31 - 20.63, (c) 20.134, 20.137, 20.138 and (d) 20.193 and 20.195 - 20.199 are the x.y/16 prefixes issuing CR responses (Table 2, left). It appears that there is an orderly usage of the 20/8 space indicated by the blocks of addresses used. The address space usage shows at least four major sections designated by a - d above.

Concerning the number of CR responses in each 20.y/16 prefix (N), a quite uniform usage is generally seen. However, even in this range from about 350 responses to over 400 responses (n = 60 networks), the standard errors of the N's, expressed as probabilities per 20.y/16 prefix, are low enough to strongly indicate statistically significant differences in numbers of responsive addresses among the prefixes (rows) with higher and lower N's.

Some prefixes, such as 20.134 - 20.138 and 20.193 show substantially fewer responses perhaps indicating areas of development or different functionality. This latter interpretation is supported by much smaller numbers of CR responses on other ports at some of these less populated sub-spaces (not shown in Table 2). The 20.31 network looks interesting due to the smaller response rate and for those who think in binary numbers, the 31 byte belongs more with block (a) than block (b).

For a rough calculation, we can count 60.4 (60 + 0.4) networks in Table 2, where all of the networks showing less than 300 responses are represented as the fractional count of 0.4. These networks account for about 23.6% (60.4 / 256) of the address space. This estimate is very close to the values shown in Table 1.

3. Response time and CSC network structure.

Table 2 (right) may be processed to show statistically significant differences in CR response time among CSC 20.y/16 sub-networks, especially comparing the lower (top) and higher values (bottom). Although the absolute differences are most often less than 10 msecs, their presence is clearly detectable. If you lost your statistics book or never had one, here is a quick rule of thumb. With these sample sizes, a statistically significant difference is seen when the smaller value plus its SE (standard error) is less than the greater value minus its SE.

Discussion

This paper has addressed two general questions.

First, why does CSC issue connection refused (CR) responses to the internet? Perhaps we will never know because, as of this writing, CSC seems to want to stand mute to queries from the author. There is always the speculation that somebody in CSC thought that connection refused responses somehow enhanced security of their networks. If this is the thinking, it may be noted that many network administrators do not share that point of view and prefer that their networks stand mute by firewall rejection of unwelcome connection requests.

Second, given this availability of information from CSC, what can we learn from it?

1. The IP addresses of specific machines or of those using virtual addressing technology can be completely listed. This simple fact is the basis for considering this practice by CSC and others as a network vulnerability, since a variety of denial of services attacks require nothing more than the target IP address.

The percent of addresses emitting CR responses to connection requests for specific ports (Table 1) was essentially identical to percent of CR responsive address subspaces (Table 2) in the 256 ranges tested (20.0 - 20.255). This result suggests internal consistency in the data set and acceptable randomness in address selection, but is not what would be expected in the general case.

One might expect in the general case that x.y/16 subspaces would show considerable variability concerning how many computers appear to be active and on-line in a study like this. Further, it is reasonable to assume that operators would assign different tasks which may have quite different work loads to their sub-networks. Some of this expected variability is seen in Table 2 and further docomented in other unpublished data for the 20/8 prefix.

Nonetheless, the overall picture for CSC's 20/8 subspaces (Table 2) is quite unusual. Why? The observed probabilities expressed by the percents of refused requests (Table 1) may be viewed as the product of two probabilities: (1) the proportion of 20.y/16 prefixes in use multiplied by (2) the average proportion of address space used in the active 20.y/16 networks. For example, if half of 20.y/16 networks each used an average of half of their address capacities, we would have 0.5 x 0.5 = 0.25 or a 25% CR rate. The "internal consistency" discussed above actually suggests that the CSC data may be unusual because this latter probability appears to be unity (one), suggesting that all of the over 64,000 addresses in each active subspace are responsive for sixty of the networks (Table 2).

For any organization, no matter how large, to put 60 x.y/16 networks in operation utilizing all of the address capacity is an enormous task. Coupled with the fact the CR responses coming out of CSC's 20/8 address space seem to be intentionally configured to specific ports, it may be more credible to assume that there is in fact substantial variability in the usage of the 60 networks, and that a program or device, perhaps for each network, issues a CR packet for certain ports for any destination address in the connection request regardless of whether or not there is a specific machine on-line at that destination address. In short, we may be witnessing a case of network spoofing by CSC, which would be considered as quite clever and a buy indicator for its stock.

Other aspects of the data collected suggest that real network information is being revealed by the CR responses, at least in part.

2. The specific usage of the allocated address space indicated blocks of sub-networks at CSC which is suggestive of some degree of difference in functionality, if only by behavioral criteria. People seem to use number ranges to identify categories of items. If this common behavior is applicable in the CSC network, we have been provided with an "outline" of some of its activities. Thus, the blocks may correspond to qualitatively different activities and could be individually tracked.

3. The port numbers that specifically elicit CR responses are quite specific and therefore may provide a speculative window into the kinds of activities and software used and their most likely vulnerabilities. The observed dependence on port number strongly suggests that the CR responses were specifically configured as they were found and reported above. The motive to do this is unclear, to say the least.

4. Repeated assessments of address space usage could be used to graph over time the size of a particular network. This item and others listed below could be used by stock analysts to see if management projections of growth agree with independently gathered empirical data. This illustrates the "buy or sell" relevance of this kind of study.

5. Repeat testing of specific address sets can document resource usage over time. For example, in those cases where computers are simply turned off when workers go home, no CR responses (or other types of internet responsiveness) would be obtained. Thus, an analyst could track work activity in an organization associated with an IP address range, over time (days, weeks, etc) or by hour of the day. Noteworthy changes in activity may be interpreted as indicating some significant event in the organization. If the activity level changes, maybe it is time to buy the stock or sell it.

In the case of CSC, a remarkable stability was found. Namely, the addresses responded to the repeated latency measurements (four ports per address) like clockwork, suggesting that all of the corresponding hardware is powered on and on-line 24/7. Depending on context, this could be an indicator to buy (they are very busy) or to sell (they are wasting electricity).

6. Repeat testing might also assess hardware maintenance. The lowest value seen in the sessions measuring latencies was 99.71% from CSC addresses already logged as being responsive previously. Most of the values were much closer to 100%. The author finds these observations to be remarkable. A lot of people deserve a lot of thanks and credit. In Net Census studies, there is no trying again. A single SYN packet is sent; there is a response or not and that is the result. It is almost unbelievable that such a complex communications process could be demonstrably functioning at essentially 100% efficiency. Regarding CSC, we would have to rate their part of this process at 100%. The hardware maintenance chief merits a bonus. True, 0.3% or less apparent loss of packets could be anybody's fault and may indicate a few machine failures somewhere.

7. Significant differences in CR response time were found among the sub-networks. A likely explanation for longer response times is that packets of identifiable sub-networks traverse more steps within the CSC system. An alternative explanation might be that the sub-networks are located in different locations using different internet gateways. The rather small differences seen in this case suggest, however, but not conclusively so, that all of this hardware is located in one facility.

A more precise analysis of the latencies might reveal how many network steps are between prefixes listed in Table 2 and the general internet gateway(s). Alas, to be conservative, the SEM's in Table 2 were rounded up. Next time, they should be presented with at least two significant figures (e.g., 1.7 instead of 2 msec) to better document where the statistically significant differences are.

This tutorial has used well known ideas to explore how much can be learned from CR responses from a network. This may be most important in cases like CSC where CR responses may be the only information available. It has been seen that rather specific data can be obtained re port numbers, IP addresses and response latencies. It should also be noted that this information does not establish that CSC is directly operating these computers in the 20/8 address space. IANA does state that this space is allocated to CSC, as the 55/8 space is allocated to Boeing, although one finds that 55/8 is mostly populated with .mil domains.

As with many Net Census findings, one might keep in mind that internet behavior, like human behavior, can be difficult to interpret correctly and conclusively. For example, the absence of responses at selected addresses (those not listed in Table 2) may reflect the absence of on-line machines or simply that any machines at those addresses chose not to repond.

Summary

In a survey of x/8 IP address spaces, Computer Science Corporation (CSC) was unique in showing only one category of internet responsiveness, TCP connection refused (CR) error packets [1]. It was found that port number and IP address information in these packets issued by CSC in response to connection requests, plus measurement of the response times and percent of requests refused, could be used to describe the internal structure of this 20/8 address space. Specifically, the CR responses allow description of blocks of sub-networks and permit tracking of organization function and development over time. The port numbers provide basis to develop speculation on what kinds of activities and even what software might be employed.

All of this information could assist hostile parties in attacking CSC managed systems. Denial of service efforts are more likely to be successful if specific IP addresses are known. Selection among these addresses can further target such hostile behavior, as provided by the blocks of networks which are identifiable. Successful speculation associating the observed patterns of port numbers eliciting CR responses with likely software choices could assist an attacker in choosing known exploits in that software to pursue malicious activity.

These considerations bring us full circle to the original question: Why are CR packets issued by 20/8 addresses presumably managed by CSC? Although this question remains unanswered, the author has no reason to suppose that CSC is anything but a reputable and outstanding organization. With over 170 million shares selling in the upper 30s, its stock price indicates that many people believe CSC is doing a good job. Of course, if we find that CR responses from CSC managed computers suddenly become an "extinct species," this could be a buy indicator.

References
[1] Doctor Electron, "A TCP Ping Reveals Hosts by Connection Refused Error", August, 2002.
[2] Doctor Electron, "Network Profiling with Randomly Sampled Data", August, 2002.
[3] Doctor Electron, "Internet Host Behavior Statistics by Port", August, 2002.
[IANA] Internet Assigned Numbers Authority, "Internet Protocol in v4 Address Space", December, 2001.
[RFC 1519] Fuller, V. et al. "Classless Inter- Domain Routing (CIDR): an Address Assignment and Aggregation Strategy", September, 1993.
[RFC 1700] Reynolds, J. K., and J. Postel, "ASSIGNED NUMBERS", October, 1994.

Copyright © 2002 Global Services
Original publication: September 4, 2002

Back to Net Census