A TCP Ping Reveals Hosts by Connection Refused Error

A TCP Ping Reveals Hosts by Connection Refused Error

By Doctor Electron

Network analysts use replies to the ICMP echo request (ping) packets to assess the presence of on-line hosts. However, many networks have firewalls which refuse to reply to ping. An established TCP connection also demonstrates that the remote host is on-line, but there are the disadvantages that the remote host must have ports listening for connections usually associated with some service, like a web page or ftp server, and that the analyst already has information about what services are offered by the host.

This preliminary report illustrates the use of the TCP [RFC 793] connection refused error as a method to discover and demonstrate the presence of on-line hosts in a network. When a client program sends a TCP SYN packet to request a connection, a reply packet with the ACK and RST flags set, according to examination of captured packets, is classed as a connection refused error. The msec response latency for receipt of this error packet is generally similar to that required for establishing a connection concerning the first two steps in the handshake procedure.

An interesting result in this preliminary data is that certain networks may be mapped and described by connection refused error when ICMP echo requests and established TCP connections fail to reveal information. A later report will analyze this data more rigorously from a statistical point of view.

Methods

Random sampling was used to allow estimation of population statistics. Four bytes define a "v4" IP address. Valid IP addresses were randomly generated in a range from 1.0.0.1 to 219.255.255.254 [RFC 1466, RFC 1518, RFC 1519].

Several methods were used to determine the presence of a host at a random address as reported previously [1]. In addition, connection refused error (WSA error 10061) was logged. To summarize, four types of internet behavior were observed:

1. Single packet ICMP echo requests [RFC 792] elicited echo responses from the randomly selected host which will be denoted "Ping" hosts in these articles.

2. A different host revealed by its response to the ping packet with any error report such as host unreachable or TTL expiration which will be called "ICMP Error" hosts.

3. TCP connection to ports commonly used for common services such as FTP, SSH, Telnet, SMTP, HTTP, NetBios (port 139) and HTTPS [RFC 1700].

4. Connection refused errors.

The author wrote the software used for data collection. Descriptions of recipients of address space allocations in Table 1 were obtained from IANA.

Results

Data collected thus far using random sampling includes 13,706 ICMP Error and 43,370 TCP responses. In general, as sampling proceeded, more than two ICMP Error reporters volunteered their IP address for each Ping (n = 5,619) response obtained from a randomly selected address. Thus far, 18,362 connection refused errors have been logged.

Table 1 shows where hosts were found. The data is organized according to internet prefixes using the X/8 notation [RFC 1519]. Each entry, 4, 6, 10, 12, etc, denotes an X/8 address space, which includes all addresses X.0.0.1 to X.255.255.254. This organization of the data according to X/8 prefixes illustrates the kind of results which can be obtained. Network analysts may use similar procedures to describe any IP address prefix for any size network.
Table 1: IPv4/8 Addresses Where Hosts Were Found

X/8 Description Ping Error TCP 10061 Total 004/8 Bolt Beranek and Newman Inc. 19 123 52 85 279 006/8 Army Information Systems Center 0 0 14 1 15 010/8 IANA-Private Use 0 129 1 0 130 012/8 AT&T Bell Laboratories 99 296 180 343 918 015/8 Hewlett-Packard Company 1 0 0 0 1 018/8 MIT 2 3 4 28 37 020/8 Computer Sciences Corporation 0 0 0 555 555 024/8 ARIN-Cable Block 164 41 347 630 1182 032/8 Norsk Informasjonsteknologi 4 5 9 3 21 033/8 DLA Systems Automation Center 0 4 4 2 10 035/8 MERIT Computer Network 1 8 15 4 28 038/8 Performance Systems Internat'l 6 27 11 9 53 043/8 Japan Inet 7 1 9 50 67 044/8 Amateur Radio Digital Com. 0 0 0 1 1 051/8 Dept. of Social Security of UK 0 0 2 0 2 052/8 E.I. DuPont de Nemours and Co 1 0 0 0 1 053/8 Cap Debis CCS 0 1 0 0 1 055/8 Boeing Computer Services .mil 0 0 1948 1078 3026 057/8 SITA (French) 3 6 0 4 13 061/8 APNIC-Pacific Rim 131 127 456 690 1404 062/8 RIPENCC-Europe 74 243 410 279 1006 063/8 ARIN 95 262 459 225 1041 064/8 ARIN 159 238 1573 483 2453 065/8 ARIN 107 206 660 421 1394 066/8 ARIN 132 123 1015 545 1815 067/8 ARIN 24 188 100 203 515 068/8 ARIN 58 13 87 345 503 075/8 IANA-Reserved 0 0 1 0 1 079/8 IANA-Reserved 0 0 0 1 1 080/8 RIPENCC-Europe 47 41 198 308 594 081/8 RIPENCC-Europe 2 2 15 32 51 085/8 IANA-Reserved 0 0 0 1 1 100/8 IANA-Reserved 0 2 0 0 2 128/8 Various Registries 64 118 636 251 1069 129/8 Various Registries 38 116 950 205 1309 130/8 Various Registries 36 130 573 318 1057 131/8 Various Registries 25 76 3044 147 3292 132/8 Various Registries 11 43 3905 388 4347 133/8 Various Registries 8 87 171 187 453 134/8 Various Registries 27 74 515 140 756 135/8 Various Registries 0 4 0 0 4 136/8 Various Registries 10 15 186 68 279 137/8 Various Registries 15 105 1433 130 1683 138/8 Various Registries 7 37 231 97 372 139/8 Various Registries 13 156 280 43 492 140/8 Various Registries 20 60 555 82 717 141/8 Various Registries 17 84 165 117 383 142/8 Various Registries 25 60 472 118 675 143/8 Various Registries 8 40 233 131 412 144/8 Various Registries 14 223 332 125 694 145/8 Various Registries 2 52 65 40 159 146/8 Various Registries 17 92 330 142 581 147/8 Various Registries 3 33 814 133 983 148/8 Various Registries 14 74 132 92 312 149/8 Various Registries 7 31 26 62 126 150/8 Various Registries 12 127 249 178 566 151/8 Various Registries 23 142 402 101 668 152/8 Various Registries 16 132 171 212 531 153/8 Various Registries 3 10 283 23 319 154/8 Various Registries 1 66 4 5 76 155/8 Various Registries 9 33 713 134 889 156/8 Various Registries 3 17 87 37 144 157/8 Various Registries 12 277 118 183 590 158/8 Various Registries 7 78 791 150 1026 159/8 Various Registries 7 41 399 124 571 160/8 Various Registries 10 95 207 138 450 161/8 Various Registries 9 46 100 107 262 162/8 Various Registries 6 21 334 37 398 163/8 Various Registries 10 50 93 189 342 164/8 Various Registries 7 78 346 65 496 165/8 Various Registries 12 90 141 85 328 166/8 Various Registries 12 66 54 46 178 167/8 Various Registries 7 37 232 146 422 168/8 Various Registries 17 141 191 81 430 169/8 Various Registries 3 54 38 38 133 170/8 Various Registries 3 46 80 48 177 171/8 Various Registries vaskapu .hu 3 6 115 9 133 172/8 Various Registries aol.com 106 100 18 861 1085 179/8 IANA-Reserved 0 0 0 1 1 188/8 IANA-Reserved (is RIPE) 0 1 0 0 1 192/8 Various Reg. - MultiRegional 34 309 154 96 593 193/8 RIPENCC-Europe 65 347 346 165 923 194/8 RIPENCC-Europe 80 450 359 163 1052 195/8 RIPENCC-Europe 137 631 586 249 1603 196/8 Various Registries 12 35 95 31 173 198/8 VariousRegistries 49 272 344 143 808 199/8 ARIN-North America 48 129 212 114 503 200/8 ARIN-Central and South America 117 354 425 248 1144 202/8 APNIC-Pacific Rim 141 603 516 216 1476 203/8 APNIC-Pacific Rim 171 479 663 265 1578 204/8 ARIN-North America 92 255 512 117 976 205/8 ARIN-North America 60 203 373 80 716 206/8 ARIN-North America 138 433 516 139 1226 207/8 ARIN-North America 184 385 836 250 1655 208/8 ARIN-North America 196 330 791 220 1537 209/8 ARIN-North America 386 381 1945 330 3042 210/8 APNIC-Pacific Rim 256 531 911 351 2049 211/8 APNIC-Pacific Rim 502 417 1489 824 3232 212/8 RIPENCC-Europe 194 579 974 297 2044 213/8 RIPENCC-Europe 233 388 556 305 1482 214/8 US-DOD 0 0 2 1 3 215/8 US-DOD 0 0 2 3 5 216/8 ARIN-North America 454 428 2391 526 3799 217/8 RIPENCC-Europe 177 180 556 261 1174 218/8 APNIC-Pacific Rim 63 33 31 526 653 219/8 APNIC-Pacific Rim 15 1 1 102 119 Column totals are random sample size 5619 13706 43370 18362 81057
Legend: Ping, ICMP echo replies. Error, ICMP echo request error reports by "volunteer" hosts. TCP, established connections mainly with ports 21, 22, 23, 25, 80, 113, 139 and 443. 10061, connection refused error reports. The Ping, Error and TCP columns of data were gathered in another study [1]. At this writing, 219/8 is below its sample size quota.
Table 1 shows that connection refused error was the only method used which revealed the presence of remote hosts in sampling of the 20/8 (n = 555), 44/8, 79/8, 85/8 and 179/8 address spaces.

Discussion

The data, based on random sampling in most of IPv4 address space, showed that TCP connection refused error may be a useful method to discover and describe network structures. The address space allocated to Computer Sciences Corporation (CSC) at 20/8 is an excellent case in point.

The utility of the connection refused responses may be summarized:

1. Reveal networks and individual hosts that other methods may miss. Indeed, the CSC network has not yet been documented by the ICMP and TCP connection data based on random sampling.
2. Assist in mapping network components and structures. In all of those cases in Table 1 where the connection refused responses accompany responses in other categories listed, the specific addresses may be (and in this study, because of the random sampling, almost always were) different in each of the categories (columns) shown. Thus, a more complete picture and assessment of the machines or virtual addresses in a particular network are obtained.
3. Knowledge of which ports are listening (open) on which machines is less important or perhaps not needed at all. That is, our results thus far indicate that the typical active host may refuse connections regardless of the port specified in the connection request.

Connection refused responses allow the mapping of networks and may therefore be viewed as a vulnerability regarding the privacy of network resources. The general interpretation of this type of on-line behavior, then, is as an indicator of insecured computers. The ratio of observed to expected connection refused responses is highest for CSC, the present undisputed world champion.

In this CSC network, connection refused errors are routinely returned only for certain ports (author, unpublished data), such as 21 (ftp), 22 (ssh) and 443 (https). Remarkably, about 24% of random 20.x.y.z addresses return these TCP error packets providing an accurate measurement of the corresponding total CSC on-line hardware. On the other hand, other ports are most often silent. That is, TCP SYN packets requesting a connection with ports like 25 (smtp) and 80 (http) are ignored.

This would seem to be the inverse of what might be expected in a secure network. Namely, it is exactly the ports where authentication and security is usually of greatest concern (21, 22 and 443) that are giving out the IP addresses of the machines that presumably have the most private information. In contrast, little or no authentication is typically required to establish a TCP connection for ports 25 and 80, and it might appear that CSC may have greater security installed for machines that might run these services.

Finally, in Net Census research, the least is assumed about the remote hosts. In particular, it is not assumed that responses will follow specifications such as set forth in the RFC's. This study reports what actually occurs, regardless of what is supposed to occur according to specifications and generally accepted rules.

References

[1] Doctor Electron, "Computers Connected to IPv4 Address Space", June, 2002.
[IANA] Internet Assigned Numbers Authority, "Internet Protocol in v4 Address Space", December, 2001.
[RFC 792] Postel, J., "Internet Control Message Protocol", September, 1981.
[RFC 793] Information Sciences Institute, Univ. of Southern Calif., "Transmission Control Protocol -- Darpa Internet Program Protocol Specification", September, 1981.
[RFC 1466] Gerich, E., "Guidelines for Management of IP Address Space", May, 1993.
[RFC 1518] Rekhter, Y., and T. Li, "An Architecture for IP Address Allocation with CIDR", September, 1993.
[RFC 1519] Fuller, V. et al. "Classless Inter- Domain Routing (CIDR): an Address Assignment and Aggregation Strategy", September, 1993.
[RFC 1700] Reynolds, J. K., and J. Postel, "ASSIGNED NUMBERS", October, 1994.

The reader is welcome to contact Global Services for more specific data from our present databases or further data collection regarding specific IP address prefixes.

Copyright © 2002 Global Services
Original publication: August 10, 2002

Back to Net Census