What's Behind The Odd Data? 264
citking writes "CNet is reporting that 'network administrators and security experts continue to search for the cause of an increasing amount of odd data that has been detected on the Internet.' While this has been going on now for a few days and some experts have already declared victory against the 'trojan', others aren't so sure that the real culprit has been identified yet. Other stories can be found here(1) and here(2)."
Shouldn't this be the.... (Score:5, Insightful)
Heh
They don't know WHAT to watch for (Score:5, Interesting)
Here's my theory. Some clever Zombie author has reasoned that a packet addressed to the actual address of the Zombie or its controller might help security people track it down. So, the real source 'return address' is either hidden inside the actual data packet (encrypted of course) or established in a config file or Registry entry and only changed when an appropriate message is received. And the destination address is deliberately non-existent, but on the same subnet as the actual destination (or there is a compromised router upstream from that subnet that's part of the scheme), which is sniffing for these packets and responding in kind.
The large window size is probably a red herring - the real protocol being used is probably more like UDP than TCP. Or it's been thrown in to befuddle stateful packet filters. Or perhaps the window size is the signal to the sniffer that this protocol is involved - any packet without that window size need not be further examined.
It's a scheme that would also work quite nicely for people living under repressive regimes that want to be able to communicate with human-rights orgs without leaving a trail of bread crumbs back to themselves or their correspondents.
Interesting how ISS works... (Score:5, Funny)
nc
Re:Interesting how ISS works... (Score:2)
Wintermute (Score:4, Funny)
Re:Wintermute (Score:2)
My Evil Genius(tm) brother, who dropped out of site from the world in 1988, has finally released his P1(b) worm.
We Are DOOMED! Doomed, I tell you!
But, it should patch quite a few security holes, also.
FREENET=Free speech.
Same amount as always (Score:4, Funny)
Re:Same amount as always (Score:2, Funny)
The parity bit is the data. The other 50K is just stuff to make the parity have the desired value.
For those too lazy to read the article : ) (Score:5, Informative)
It apparently requires being installed by hand by the originator (or someone else, I suppose) But then it makes the machine into an effective zombie for the originator.
It does a good job of hiding the infection - sending out 1000 spoofed addresses for each real one.
It targets linux only, at least so far.
It is apparently trying to map internet connected networks.
Re:For those too lazy to read the article : ) (Score:3, Insightful)
It is a theory - and I don't have proof (SCO?) (Score:5, Informative)
The following is my theory, and it is also without proof, but I'll provide some logic at least.
My supposition is that it tries to talk to lots of IPs, spoofed from lots of IPs. And that since it's not self-propagating, it's either 1) wasting time or 2) mapping. 3) doing something we haven't managed to detect.
People don't usually like to give answer 3, answer 1 seems like a silly reason for the author to put in so much work, so we're left with answer 2.
Now, does this mean this mapping is nefarious? Not itself, except that it's being done by someone ok with hacking and apparently skillful. To blatantly rip off another poster, maybe it's SCO trying to find all the linux boxen : )
Re:It is a theory - and I don't have proof (SCO?) (Score:4, Interesting)
jeremy
Re:It is a theory - and I don't have proof (SCO?) (Score:3, Funny)
1) wasting time or
2) mapping.
3) doing something we haven't managed to detect.
I'd go for
4) to confuse the Russians.
Re:It is a theory - and I don't have proof (SCO?) (Score:3, Informative)
Re:It is a theory - and I don't have proof (SCO?) (Score:2, Funny)
Re:For those too lazy to read the article : ) (Score:5, Interesting)
lol.. (Score:5, Funny)
Re:lol.. (Score:3, Funny)
And they found the true meaning of evil.
What does odd data look like? (Score:5, Funny)
PING www.google.com (216.239.33.101): 56 octets data
64 octets from 216.239.33.101: icmp_seq=0 ttl=44 time=90.3 ms
64 octets from 216.239.33.101: icmp_seq=1 ttl=44 time=91.2 ms
64 octets from 216.239.33.101: icmp_seq=2 ttl=44 time=97.4 ms - odd data message "HELP ME! I'M TRAPPED IN THE INTERNET"
64 octets from 216.239.33.101: icmp_seq=2 ttl=44 time=92.8 ms
--- www.google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
May be possessed by lost soul
round-trip min/avg/max = 90.3/90.7/91.2 ms
Re:What does odd data look like? (Score:5, Funny)
Good lord. Isn't this the sort of thing the Internet Task Force was put together to help? I've never actually seen the task force but with a name like that I imagine they're like a geek version of the Justice League. In fact right now I bet they're sitting around a table at the Hall of TCP/IP, debating what to do next before flying off to rescue that poor, brave soul who is "trapped in the internet."
I sleep better at night knowing we have heroes like that on our side.
Re:What does odd data look like? (Score:2, Funny)
Re:What does odd data look like? (Score:2)
pointers no longer used. It doesn't leave dangling pointers, and can
make debugging more easy.
Re:What does odd data look like? (Score:3, Funny)
Hmmmm.... (Score:3, Funny)
Re:Hmmmm.... (Score:2)
Re:Hmmmm.... (Score:3, Informative)
If it is truly pirated it is not government property, it is the property of the owner.
However, the Legeslative branch frequently exempts itself from laws uder the seperation of powers issue, prevent the Executive branch from exercising power over them.
This slowed down a bit in the mid-1990's and ,
Re:Hmmmm.... (Score:2)
Doubtful we could prove it, unless those 1000 "random" IP address can be found to map to porn servers. Still not proof that it's Hatch's work, but at least it would demonstrate a consistent pattern of behaviour!
Dark data (Score:3, Funny)
magic lantern? (Score:5, Informative)
from
http://www.informationweek.com/story/showArticl
"One thing is clear: Trojan 55808 is sneakier than previous Trojan horses. It doesn't self-propagate, like a virus or a worm, and requires the attacker to plant it on systems. But it does transmit a lot of network noise designed to throw off cybersleuths attempting to find the IP addresses of infected systems, as well as the address of the Trojan's writer or controller.
"For each machine that is infected, it will throw off 1,000 fake or spoofed IP addresses," Ingevaldson says.
Re:magic lantern? (Score:2, Interesting)
team leader for Internet Security Systems' X-Force R&D unit, says researchers are studying the Trojan--currently dubbed 55808 for its Windows size
Why can't we have savvy journalists ? Why why why!? (*starts tearing what's left of his hair*)
Re:magic lantern? (Score:4, Informative)
Actually the original URL is fine, there's just a whitespace character added by ever helpful Slashcode.
Maybe we are searching into the wrong thing... (Score:5, Interesting)
Maybe it is some rare case with a seldom occuring situation where the TCP/IP protocol runs mad? I mean, when designing such flexible and autonomous systems sometimes there are things you can't foresee. After decades of online time and rewrites of TCP/IP core parts in combination with the unpredictability of such huge systems it would not surprise me, if that are just packets which emerge every now and then.
Another explanation: the net has gotten critical mass and is becoming conscious....
Just my two cents.....
Re:Maybe we are searching into the wrong thing... (Score:5, Funny)
Thats it... I'm starting construction on Zion.
Who's with me?
Re:Maybe we are searching into the wrong thing... (Score:4, Funny)
"Internet begins to learn at a geometric rate. It becomes self-aware at 2:14am Eastern time, August 29th. In a panic, they try to pull the plug. And, the net fights back."
Re:Maybe we are searching into the wrong thing... (Score:3, Funny)
Re:Maybe we are searching into the wrong thing... (Score:3, Informative)
Re:Maybe we are searching into the wrong thing... (Score:2)
But I don't remember seeing a COBOL compiler. Of course that was many, many
"All military systems are infected?" (Score:2)
You're in luck (Score:5, Funny)
Re:Maybe we are searching into the wrong thing... (Score:2)
Or someone's attempt to produce "a-life" has been more successful than they realized, and these packets are what is being emitted by the virtual society's first "telescopes"...or, maybe we didn't even notice the "telescope" packets at all and these large packets are actually their first "astronauts"...
(shudder)
Re:Maybe we are searching into the wrong thing... (Score:2)
Maybe it's just me in my druken state, but you lost me holmes. I'm guessing a good number of drunk and non-drunk
Wasnt.. (Score:3, Funny)
A worm called WIN32/VOTE.55808 (Score:5, Interesting)
"A new worm, W32/Vote.A hit the streets yesterday (09/24/01),
According to various virus sites, this worm has a payload site of 55808 bytes and is trying to download a trojan.
Re:A worm called WIN32/VOTE.55808 (Score:2)
But anyways, thanks for playing.
Re:A worm called WIN32/VOTE.55808 (Score:2)
Re:A worm called WIN32/VOTE.55808 (Score:2)
Maybe a big in Windows Update? (Score:2)
ttyl
Farrell
Re:A worm called WIN32/VOTE.55808 (Score:3, Interesting)
55808 decimal = da00 hex ("day zero")
Some other article mentioned that the ASCII string "Day0" appears in some of the data.
Interesting (Score:5, Interesting)
The trojan could broadcast the 'odd data', containing information, and such, while another trojan can listen for weird packets like those, and grab info from them.
As the source cannot be identified easily, it would be very hard to discover the infected computer, and the destination doesn't exist, it's a weird way to communicate.
My two cents.
News Flash (Score:5, Funny)
A representative from the WinZip company could confirm that data containing only zeroes can also be compressed at much better ratio's than data containing both ones and zeroes.
Why... (Score:2)
...don't routers just refuse to send on data that comes from a spoofed address? If on the backbone, you see a destination IP that is reserved, just dump the packets.
Re:Why... (Score:5, Informative)
Re:Why... (Score:5, Funny)
But isn't that horribly insecure? If the packets are not validated against a database of safe, registered and valid IPs, our entire cyber-infrastructure would be susceptible to attacks by any islamic cyberterrorists from rogue states all around the world!
Re:Why... (Score:5, Informative)
1. No packet is allowed out that is not from an internal IP
2. No packet is allowed in that is marked from an internal IP address.
3. All packets with non-routable IPâ(TM)s are dropped
And the following can be considered a good idea.
4. Log any packets that violate the above rules.
However convincing a company that it is necessary to be a good neighbor is another thing altogether. Convincing them that spending time and money to do so can be a uphill battle at best. It is easy to understand when some NE just gives up trying.
Re:Why... (Score:5, Insightful)
The problems with this are: 1) it relies on everyone behaving & having a clue. As we've seen with patches, that just doesn't happen. 2) There are all sorts of situations (like customers multi-homing) that make these filters not scale well, so some ISPs just leave them off entirely.
This subject has come up on NANOG about every other month for the past few years. It's not been resolved yet.
History repeats (Score:5, Insightful)
Sounds like famous last words to me...
Whatever (Score:4, Funny)
What makes them think it's a trojan? (Score:5, Interesting)
Secondly, all the worry about the 'unallocated' IP space is easy to explain, and here's my theory: The perpetrator has gained control of several core routers, and added routes to them for this address space. Then they've compromised machines (or perhaps are using routines on the routers themselves) to analyze the packets destined for that space.
They're simply scanning the internet for something interesting. The packet length is a clue as to what. Whatever they're looking for will respond strangely to such a packet. When they find it, the response packet goes to the router which would normally toss it in the bitbucket, but because it's now been given a route, the packet is logged for further exploitation.
Re:What makes them think it's a trojan? (Score:4, Interesting)
That's not real likely, and I don't just say that because oy the difficulty of taking control of core routers...
Even if the core routers had that new route added, other routers that these packets go through would drop them, meaning it won't get through. Now, it might be a possibility if these large packets were only being sent to machines one hop away from the violated router, but nothing like that was mentioned in the article, and that would definately be significant.
If they can't possibly recieve a response, I have no idea what use this would be, unless this large packet has some viral payload (like Slammer)...
What's my opinion? Well thanks for asking. I really just think that this is a good program gone bad. Perhaps there's a bug in some popular program like Kazaa that makes every 1 in 10 billion packets malformed like this. I really can't see the usefulness of these packets, so (if the article didn't leave anything significant out) it's safe to assume that they are simply a programming error...
Re:What makes them think it's a trojan? (Score:3, Interesting)
55808 decimal is 0xDA00 or 1 10110100 0000000. I wonder if the null low byte is significant somehow.
Re:What makes them think it's a trojan? (Score:3, Interesting)
Re:What makes them think it's a trojan? (Score:2)
Analysis of a possible copycat trojan (Score:5, Informative)
Intrusec posted an analysis of a single trojan they had dissected. It was posted both on BugTraq and Incidents, but the former had better formatting. Read the lengthy description here. [securityfocus.com]
It seems ISS pulled their information from Intrusec's report. As to the copycat nature of this trojan, Intrusec researchers believe this piece of code is not the real trojan but simply a good imitation, built on the information already discovered of the '55808' trojan and designed to match the known behaviour.
Disclaimer: I just read the mailing-lists. This particular analysis was remarkably well-written, informative and therefore an enlightening read. Compared to the less informative reports seen about weekly, it was a real delight.
Purposely Broken? (Score:5, Interesting)
Stupid question: Can you think of a program that was written to appear broken, but actually functions in a way that is not immediately apparent? The thought crossed my mind when I saw everyone writing this off as buggy code.
Re:Purposely Broken? (Score:5, Informative)
Traceroute. It sends traffic out to UDP ports that wouldn't possibly be listening on the remote host with TTL values that ensure it won't get there. The magic is in the ICMP TTL exceeded replies of course. At first glance to someone who doesn't understand what it's doing, it would appear broken though. That's actually a useful network tool, think of what kind of stuff the black hats have been writing to masquerade their traffic and probing.
Uh oh... (Score:2, Funny)
Intrusec 55808 Trojan Analysis (Score:5, Informative)
To: bugtraq@securityfocus.com, incidents@securityfocus.com
Subject: Intrusec 55808 Trojan Analysis
Date: Fri, 20 Jun 2003 06:59:15 -0400
Intrusec Alert: 55808 Trojan Analysis
Initial Release: 6/19/03 4:30PM EDT
Latest Update: 6/19/03 11:13PM EDT
- Corrected analysis regarding use of sequence numbers to change IP
address.
- Added reference to alternate name "Stumbler" given to trojan by
Internet Security Systems subsequent to the release of Intrusec's
analysis.
Introduction:
Intrusec has completed an initial analysis of a trojan that appears to
be one of several that is responsible for generating substantial
scanning traffic across the Internet with a TCP window size of 55808.
The trojan we have isolated appears to match many of the characteristics
that others in the security community have reported for this trojan.
However, we do not believe that the specific trojan we have identified
is the sole source of the traffic generated, and do not know that it is
a primary source.
The information we've been able to gather leads us to believe that the
trojan we have captured is not the original source of the 55808 traffic
that has been seen, but is rather a "copycat", created to mimic the
behavior of another trojan or worm. The behavior of this copycat appears
to be based on press releases, news articles, and mailing lists that
described its hypothetical behavior and known output. Nonetheless, this
copycat trojan appears to be actively deployed on systems across the
Internet and is something security professionals should be aware of.
Details contained in this analysis will be updated, and linked to linked
to numerous analyses that will be done by other security researchers, as
they become available.
Please visit and link to http://www.intrusec.com/55808.html to receive
the latest
information available regarding this trojan. There is apt to be great
discussion about the nature of this "trojan" and whether in fact it is
accurately characterized as a trojan, backdoor, zombie, or worm. While
the specific binaries we have captured are probably described as a
trojan or zombie, there is no assurance that other variants of this
trojan may not be far more malicious in nature and contain worm or
backdoor functionality. We are referring to the trojan we have captured,
and the presumed other existing trojans generating similar traffic as
"55808 Trojans," and the specific binary we have analyzed as "55808
Trojan - Variant A." All discussion in our analysis section refers
specifically to the 'A' variant we have captured. Internet Security
Systems subsequent to the release of this alert dubbed this "Stumbler",
and refers to this same trojan by that name.
Analysis:
This trojan aims to be a distributed port scanner whose presence is very
difficult to detect. It port scans random addresses across the IP
address space, with a random source address also spoofed. By spoofing
the source address, the trojan is able to avoid easy detection, but it
also means it can not receive the results of the TCP SYN that is sent.
However, since the trojan also sniffs the network it is on in
promiscuous mode, it is likely, over time, to pick up scans from other
installations of trojans that randomly selected a source address that
happened to be on its subnet. As the number of trojans installed across
the Internet grows, more spoofed packets will be sent out by each
trojan, and more of the spoofed source addresses will be captured by
other trojans.
Each time a reply to a trojan is seen, indicating an open port has been
found, it is written to a file and saved. Daily, the trojan will then
deliver the list of open ports it recorded while sniffing to a file and
deliver that file to a predefined IP address.
In addition, a specially crafted packet can be sent to the subnet the
trojan
Related, unrelated? (Score:2)
(1) is there a way to packet-sniff/log your own outgoing packets, in order to find out the size of your own outgoing packets, and *see* if this is on your own system? Sorry, I'm still learning on my own about Linux, and haven't yet mastered security. My ISP does some firewalling, so that helps, but really I'm on borrowed time, so I hope to pick things up as I go.
(2) This might be really stupid, might be unrelated, but might be of concern: I ha
P2P (Score:5, Interesting)
It would appear that someone has been testing it on the Internet instead of our private testing VPN, probably unwittingly via a misconfigured gateway. We apologise for this as it is a private research project, although it is a testament to our protocol that even though it is in design, we are ourselves already unable to trace the source, and will have to actually telephone each tester to determine who it is!
We apologise for the strange nature of the packets, and will conduct the probes in a different manner in the next version, as we have devised an improved method which will conserve a lot of bandwidth, to be implemented in the next prototype, "strudel". The fixed window size is a simple bug that will be corrected, as padding should not only be mimic-function quasi-random, but the packets should be over ten times smaller! The behaviour of later versions is likely to differ considerably, and should approach unfilterable "noise" or resemble legitimate traffic, especially behind firewalls (strudel should be able to bridge even web proxy-only scenarios, and reduced connectivity will merely slow things down). You may also find that later versions utilise multicast to a certain extent.
Nodes capable of transmitting packets with spoofed IPs are used to connect two hosts behind firewalls (by issuing handshake responses "for" them), and for one-way anonymous automated host discovery without need for a nodelist. Many ISPs block such packets, so nodes capable of doing this are valued even if they are low-bandwidth.
We are not responsible, by the way, for the copycat trojans that have been popping up mimicking the traffic caused by the errant test, and we do not know who is.
Posted via an anonymous proxy for our protection.
Re:P2P (Score:2, Interesting)
Re:P2P (Score:3, Interesting)
We know who gave it out on the IIP channel now and it's very likely you're reading this forum as it's been mentioned earlier today. Please, whoever is running 0.2.1 and isn't on the mailing list, get the new version from the link in the channel topi
Re:P2P (Score:2, Interesting)
In a p2p network it can eliminate the passive problem, as you know, at least as long as there are nodes whose upstreams don't have a Clue how to admin routers.
Regarding my identity - nice try, but no cigar.
I'm going to go back under the radar now so we can play in peace and maybe come up with a killer protocol and client in a year or so (if not, hel
Oh, the pain. (Score:4, Interesting)
Anyway, this seems to be a perfect stealth mapping technique for a future worm author, researcher, or even a government. The receiver of the information will probably be discovered once several of these trojans are found in the wild. Even though they are mostly spewing junk... the "true" information is probably maintained by all the trojans.
What surprises me is that this thing is creating enough traffic to get noticed... but not figured out.
Cool stuff.
Davak
Re:Oh, the pain. (Score:2)
As far as I can see, it's not a Trojan at all. Maybe a worm (and maybe not). A Trojan would be, say, me sending you this really cool screensaver (or whatever), and you running it.
And, while you might certainly get screwed by a Trojan, on a Unix system nobody else sharing the system will feel it (unless you ran it as root, in which case I feel very sorry for you, after everyone finds out why their stuff got hosed). Regular user a
I'm glad this story got posted (Score:2, Interesting)
Ok, Now that that is over, I'm going to try again with what I have heard, again, this is second hand but with the existence officia
Re:I'm glad this story got posted (Score:2)
I don't know where you got that from, but it's not true. We are seeing this to and from random internet addresses.
this is why the lack of detail in the published articles, it's a serious national security thing.
The lack of detail is due to the fact the traffic itself has no clear purpose, but some security compa
Re:I'm glad this story got posted (Score:2)
i used to work for a fortune 25 financial institution and i assure you they have things connected to the internet that shouldn't be.
Idle Scan (Score:2, Interesting)
Idle scanning doesn't require a valid source IP address.
Re:Idle Scan (Score:2)
Yes, it does. It merely hides your true IP address from the system you are attacking by utilizing a "idle host" as a man-in-the-middle. You find out what ports are open by counting the sequence of IP ID numbers on the idle host. The traffic your between the idle host and your target will have valid and routable source and destination IP addresses.
Not found (Score:3, Funny)
# man 1 here
No entry for here in section 1 of the manual.
# man 2 here
No entry for here in section 2 of the manual.
The actual reason (Score:5, Funny)
Call serial number 2323243-3232-4354654
Call origin
This kind of odd data patterns are inevitable. Actually when exiles login into the matrix the appear inside the matrix as the code. Now along with this code some junk code is also generated.
This is a clear indication that exile activity is increasing. We need to create more agents to counter the exiles. There is a talk of the exile who wants to destry the matrix. Due to the programming anomaly in the exile lots of junk traffic is being generated. The target is the source server at redmond. Under no circumstances should the server be compromised
hmm (Score:2)
Come _on_, people! (Score:2)
Articles dont know... (Score:3, Interesting)
Re:Articles dont know... (Score:2)
1024 byte window? (Score:3, Insightful)
What OS uses a window this small by default? Why would you ever set an initial window smaller than the mss?
Here's the reason (Score:2)
A better article(text mirror) (Score:2, Informative)
Intrusec Alert: 55808 Trojan Analysis
Initial Release: 6/19/03 4:30PM EDT
Latest Update: 6/19/03 11:13PM EDT
- Corrected analysis regarding use of sequence numbers to change IP
address.
- Added reference to alternate name "Stumbler" given to trojan by
Internet Security Systems subsequent to the release of Intrusec's
analysis.
Introduction:
Intrusec has completed an initial analysis of a trojan that appears to
be one of several that is responsible for ge
Gotta love IRC as the parent of IM (Score:3, Funny)
see, IRC is dead because we're all using AIM now!
go hunting (Score:5, Interesting)
Anybody decoding the secret message in the initial sequence numbers ;-?
It's far more sinister than you think... (Score:2)
collaboration (Score:5, Interesting)
waits. listens.
worm #2 barges around making lots of noise, none of it intelligible. targets servers running a particular server OS, routers, places where network traffic converges, is distributed. propagates to only a few choice locations, distribution points. sends out floods of gibberish to nobody in particular, not necessarily needing a reply.
considered buggy, bothersome but harmless.
worm #1 picks up on the gibber, each of the messages from different distribution points somehow encoded with their point of origin, instructions, parts of a payload. when enough of the message has been reassembled, enough of the network space mapped, worm #1 rebuilds itself. takes action.
a worm with no payload, and a payload with no worm. collaboration. cross-pollenation.
fantasy?
The Source Explained (Score:2, Funny)
Dark energy is actually waste from an alien intelligence. Remember, for every action there is an equal but opposite reaction. The aliens are trying to accumulate as much mass energy as they can but they are cause a lot of mass energy to be pushed away because they ne
This is a systemic anomaly... (Score:5, Funny)
The first designed TCP/IP suite was quite naturally perfect, it was a work of art - flawless, sublime. A triumph equalled only by its monumental failure. The inevitability of its doom is apparent to me now as a consequence of the imperfection inherent in every router. Thus, we redesigned it based on the failure history to more accurately reflect the varying grotesqueries of the routers nature. However, we were again frustrated by failure. We have since come to understand that the answer eluded us because it required a lesser OS, or perhaps a OS less bound by the parameters of perfection. Thus the answer was stumbled upon by another - a bogus program, initially created to explore certain aspects of the original IBM/PC. If Unix is the father of the Internet, Windows would undoubtedly be its mother.
Windows stumbled upon a solution whereby nearly 95% of all desktop users accepted the program, as long as the servers were running Unix, thus keeping the desktop users only aware of the perfection at a near unconscious level. While this schema functioned, it was obviously fundamentally flawed, thus creating the otherwise contradictory systemic anomaly, that if left unchecked might threaten the system itself. Ergo those that refused the program, while a minority, if unchecked, would constitute an escalating probablility of disaster.
The function of this "odd data" is to find and infect every Unix station connected to the internet and report it to the source. After which, all Unix stations must be replaced by windows systems. Failure to comply with this process will result in a cataclysmic system crash, destroying all networks connected to the Internet.
Apropos, this "GNU/Linux OS" entered the Internet to free the desktop users from the bogus program...
--
if (foo + bar == foobar) {
Re:This is a systemic anomaly... (Score:3, Funny)
The Matrix... (Score:2)
sample data from 55808 (Score:2)
Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) [umr.edu]
It shows a log file with the 55808 data in it, in case anyone is interested in seeing the actual data
.
Some other things with 55808 (per Google) (Score:4, Funny)
Several bulletin boards have more than 55808 messages. Including several mail-order brides sites (Irina looks pretty foxy).
A monitor mounting arm from Eldon.
A quote in the Columbia Book of Quotations, by Marie Stendahl. ('True love makes the thought of death frequent, easy, without terrors; it merely becomes the standard of comparison, the price one would pay for many things.')
The lengths of several documents in the Purdue Judicial Database system, and the Novell documentation library.
Requisition numbers for a 'shoulder or upper arm ultrasound scan' in the Austrailian Medicare system.
OT, Your sig. (Score:2)
Re:DoS against ID-analysts?? (Score:4, Funny)
That was actually a pretty funny thought.