[Rack] Oddity on 75.101.62.88

Mon Jun 18 06:11:54 UTC 2012

On Sun, Jun 17, 2012 at 10:15 PM, Isis <isis at patternsinthevoid.net> wrote:
> I have spent the morning reverse engineering and analyzing this network
> analysis tool Netalyzr. Because the thing required a JVM to run, I based my
> analysis on the reversed source code instead of running it. Then I decided to
> run it anyway to see how accurate it is.

I like it -- it's a really accessible test for users to make sure
their ISPs are doing weird stuff.

> The returned report contained the following funniness:
>
>    Direct TCP connections to remote secure IMAP servers (port 585) succeed, but
>    do not receive the expected content.
>
>    The connection succeeded but came from a different IP address than we
>    expected. Instead of the expected IP address, we received this request from
>    75.101.62.88.

This may be due to the way we're balancing traffic across two ISPs.
Subsequent connections may originate from different external IPs.

Since we have two ISPs and paths out to the Internet, and both require
us to source traffic from the ISPs own address space, some
application-layer (TCP, UDP, etc.) flows will take one ISP/path, and
others may take the other.

Currently, approx. 90% of flows will get sent out via Monkeybrains,
and another ~10% out via Sonic.net

> So, then I try to pull the certificate from a mailserver to check it, and
> nope. No certificate. Wireshark showed a bunch of TLSv1 Encrypted Alerts,
> followed by wintermute sending a bunch of (apparently ignored) [RST, ACK]s,
> and then a [FIN, ACK], and then the there's just a bunch more TLSv1 Encrypted
> Alerts as if the mailserver never got the FIN:
>
>    isis at wintermute:~$ openssl s_client -serverpref -msg -connect box658.bluehost.com:465 -starttls smtp -showcerts

I'm not sure what is expected here. I can connect up to TCP/465 on
box658.bluehost.com, but it seems to be a plain TLS-wrapped service,
rather than a SMTP / STARTTLS one.
Connecting up with OpenSSL via bikeshed (the vyatta router) works just
fine for me (with "openssl s_client -connect 66.147.244.158:465
-tls1")

> So, question: what is Vyatta, and why does it appear to be MITMing IMAPS
> connections? Also, I asked other people around to try to connect to IMAPS
> servers through GUIs with cert verification enabled, and Mischief set up tried
> to google through Thunderbird and the connection failed.

Vyatta is a commercial Linux-based router/firewall distribution/OS. It
runs on an embedded computer named "bikeshed" mounted on the
Wall-O-Tubes at 2169.

--j