Computer Science Corporation: Buy or Sell?
The connection refused vulnerability in an IT giant

By Doctor Electron
Preface: President Bush and his computer security appointee Richard Clarke have asked researchers and IT professionals to report possible computer security risks to responsible persons in the governmental or private organizations concerned. Did the President and his staff also ask that the organizations be responsive to such reports?

This preliminary case study shows that much of the structure and function of the Computer Science Corporation network may be revealed by analysis of internet connection refused responses.

Computer Science Corporation (CSC) was found to be unique regarding internet connection refused replies comparing among x/8 (x.0.0.1 to x.255.255.254) [RFC 1519] samples in study of IP address subspaces [1,2]. 20/8 addresses allocated to CSC by IANA were alone in responding primarily with TCP connection refused messages. Internet responses such as these from the CSC network have been classed as a computer security vulnerability [1]. Thus, CSC may be a useful prototype to examine the nature and extent of this vulnerability.

According to its web site, CSC provides IT solutions and among many areas, specifically lists hosting services, information security and IT infrastructure outsourcing. In this light, the major question may be: why does CSC freely hand out to the public rather detailed information about the structure and function of its computer systems, which could be used by hostile parties?

The author tried to contact CSC on behalf of Net Census to elicit any comment or explanation of this phenomenon with emails on 8/10/02 to Peter Gross, listed by ARIN as the responsible person for the 20/8 address range, and on 8/17/02 to Mr. Gross, as well as to "general information," "investor relations," and the CSC public relations officer, listed on their web site. As of this writing, there has been no response.

Buy or sell CSC? Well, the lack of any response might be a sell indicator. The reader might best withhold judgment at least until the results below are presented and several disclaimers are mentioned in the discussion section.

On 8/30/02, Net Census wrote to CSC, "Dear friends: Net Census will assume your lack of response to previous emails indicates lack of interest in the subject matter. This is to notify you that we will be proceeding to publish further detail from studies on the CSC 20/8 prefix as a prototype of the connection refused vulnerability. Best wishes."

The CSC system has the advantage that a large sample of responses can be quickly obtained for statistical analysis. Description of its general features may be instructive for possible study of similar, but smaller networks. Further, network administrators using what might be called the "CSC model" might want to reconsider their positions.

What can we learn from network TCP connection refused (CR) responses? These responses offer four kinds of information: (1) a service port number, (2) the IP address used by a machine in a network, (3) the response time in milliseconds and (4) the percent of addresses in a range issuing CR responses.

Methods and Results

The author wrote most of the software used for data collection, management and analysis.

1. What is the CSC profile for CR responses by port number?

It is well known that the internet interface of popular operating systems may reply to TCP connection requests to ports not offering services with connection refused error packets, which have both the ACK and RST flags set. These responses are generally not dependent on the port number and may be elicited from over one percent of randonly selected IP addresses in a range of 1.0.0.1 to 219.255.255.254 with randomly selected port numbers between 21 and 2000 [3, author, unpublished data]. These responses are thought to reflect unsecured computers without firewalls which might otherwise prevent any response to the lab data collection program. That is, connection requests would time out with no response rather than receive specific CR responses.

The first feature noted in the CSC network is that CR responses are issued to the client program over the internet only for selected port numbers [1], as shown in part in Table 1.

Table 1: CSC Percent CR Responses by Port
Port            N     %CR    SE
  21 FTP      22930  23.26  0.28
  22 SSH      22975  23.50  0.28
 443 HTTPS    24614  23.01  0.27
 554 RTSP     22439  23.61  0.28
1463 NUCLEUS  20754   0.02   NA
Legend: Each row represents a random sample of N connection requests in 20/8 address space. %CR, percent connection refused responses. SE, standard error of %CR. RTSP, Real time stream protocol [RFC 1700].

There was no marked difference in CR response rates for ports 21, 22, 443 and 554. The similarity in the response rates suggests that the same machines may be operating these services or at least, emitting these responses. This was confirmed by running each of the four samples of addresses on the other three ports. The nearly one hundred percent response rates in every case confirmed that an address emitting a CR response to one of the four ports -- 21, 22, 443 and 554 -- almost always responded the same to each of the three other ports.

The average CR response rate of 23.36% estimates the percent of 20/8 address space which appears to be occupied by the responding machines. This idea is developed further with information in Table 2 below.

Finally, only 0.02 percent of CSC hardware refuses connections on Nucleus port 1463 [RFC 1700]. Before the reader scoffs at this small percent, consider that 0.02 percent of over 16.6 million addresses (256 x 256 x 254) estimates over 3,300 addresses issuing CR responses for port 1463. The hook for this article referring to an "IT giant" was not kidding. Incidentally, the utility of random sampling as a research method is highlighted as soon as one considers that the population consists of over 16 million addresses.

Randomizing both port numbers and addresses in the 20/8 range, CR responses from other ports have been obtained and may merit detailed attention at a later time.

2. What hosts issue CR packets in CSC address space?

Table 2: 20.y/16 CR responses by address (left) and latency (right)
 x.y/16   N    Nm   msec SEM    x.y/16   N    Nm   msec SEM
20.1     387  1538  1107  3    20.18    390  1559  1099  1
20.2     384  1533  1102  2    20.37    399  1595  1099  2
20.3     355  1417  1103  3    20.60    373  1488  1099  2
20.4     366  1461  1104  3    20.6     377  1504  1100  3
20.5     359  1433  1104  2    20.7     384  1529  1100  1
20.6     377  1504  1100  3    20.15    400  1599  1100  2
20.7     384  1529  1100  1    20.36    357  1427  1100  2
20.8     383  1532  1102  2    20.42    360  1439  1100  1
20.9     353  1412  1103  3    20.63    375  1499  1100  1
20.10    363  1447  1106  3    20.193    60   238  1100  3
20.11    377  1504  1108  4    20.197   375  1497  1100  2
20.12    389  1555  1104  3    20.13    373  1491  1101  3
20.13    373  1491  1101  3    20.43    382  1526  1101  2
20.14    388  1550  1102  2    20.52    381  1523  1101  3
20.15    400  1599  1100  2    20.53    399  1595  1101  2
20.16    398  1591  1107  3    20.61    349  1395  1101  2
20.17    377  1507  1103  3    20.2     384  1533  1102  2
20.18    390  1559  1099  1    20.8     383  1532  1102  2
20.19    354  1414  1103  3    20.14    388  1550  1102  2
20.20    407  1627  1103  3    20.55    388  1551  1102  3
20.21    376  1488  1103  2    20.56    386  1543  1102  2
20.22    384  1534  1105  3    20.195   379  1516  1102  3
20.23    372  1484  1104  3    20.196   357  1425  1102  3
20.24     45   180  1114 13    20.199   387  1547  1102  2
20.31      3    12  1109 20    20.3     355  1417  1103  3
20.32    370  1479  1106  3    20.9     353  1412  1103  3
20.33    378  1510  1103  2    20.17    377  1507  1103  3
20.34    379  1514  1104  3    20.19    354  1414  1103  3
20.35    385  1538  1107  3    20.20    407  1627  1103  3
20.36    357  1427  1100  2    20.21    376  1488  1103  2
20.37    399  1595  1099  2    20.33    378  1510  1103  2
20.38    380  1520  1109  4    20.59    395  1578  1103  2
20.39    377  1507  1111  4    20.4     366  1461  1104  3
20.40    372  1485  1105  1    20.5     359  1433  1104  2
20.41    369  1475  1105  3    20.12    389  1555  1104  3
20.42    360  1439  1100  1    20.23    372  1484  1104  3
20.43    382  1526  1101  2    20.34    379  1514  1104  3
20.44    370  1478  1105  3    20.46    384  1534  1104  2
20.45    348  1388  1105  3    20.48    410  1639  1104  3
20.46    384  1534  1104  2    20.51    399  1593  1104  3
20.47    381  1521  1107  3    20.54    375  1497  1104  3
20.48    410  1639  1104  3    20.57    366  1461  1104  2
20.49    395  1579  1107  4    20.62    351  1402  1104  3
20.50    391  1560  1106  3    20.198   368  1472  1104  3
20.51    399  1593  1104  3    20.22    384  1534  1105  3
20.52    381  1523  1101  3    20.40    372  1485  1105  1
20.53    399  1595  1101  2    20.41    369  1475  1105  3
20.54    375  1497  1104  3    20.44    370  1478  1105  3
20.55    388  1551  1102  3    20.45    348  1388  1105  3
20.56    386  1543  1102  2    20.58    358  1431  1105  3
20.57    366  1461  1104  2    20.10    363  1447  1106  3
20.58    358  1431  1105  3    20.32    370  1479  1106  3
20.59    395  1578  1103  2    20.50    391  1560  1106  3
20.60    373  1488  1099  2    20.134    47   188  1106  4
20.61    349  1395  1101  2    20.1     387  1538  1107  3
20.62    351  1402  1104  3    20.16    398  1591  1107  3
20.63    375  1499  1100  1    20.35    385  1538  1107  3
20.134    47   188  1106  4    20.47    381  1521  1107  3
20.137     2     4  1204 29    20.49    395  1579  1107  4
20.138     1     1             20.11    377  1504  1108  4
20.193    60   238  1100  3    20.31      3    12  1109 20
20.195   379  1516  1102  3    20.38    380  1520  1109  4
20.196   357  1425  1102  3    20.39    377  1507  1111  4
20.197   375  1497  1100  2    20.24     45   180  1114 13
20.198   368  1472  1104  3    20.137     2     4  1204 29
20.199   387  1547  1102  2    20.138     1     1
Total  22802
Legend: x.y/16, all IP addresses from 20.y.0.1 to 20.y.255.254. N, number of CR responses. Nm, number of response time measurements in milliseconds (msec). SEM, standard error of the mean msec (rounded up).

(a) 20.1 - 20.24, (b) 20.31 - 20.63, (c) 20.134, 20.137, 20.138 and (d) 20.193 and 20.195 - 20.199 are the x.y/16 prefixes issuing CR responses (Table 2, left). It appears that there is an orderly usage of the 20/8 space indicated by the blocks of addresses used. The address space usage shows at least four major sections designated by a - d above.

Concerning the number of CR responses in each 20.y/16 prefix (N), a quite uniform usage is generally seen. However, even in this range from about 350 responses to over 400 responses (n = 60 networks), the standard errors of the N's, expressed as probabilities per 20.y/16 prefix, are low enough to strongly indicate statistically significant differences in numbers of responsive addresses among the prefixes (rows) with higher and lower N's.

Some prefixes, such as 20.134 - 20.138 and 20.193 show substantially fewer responses perhaps indicating areas of development or different functionality. This latter interpretation is supported by much smaller numbers of CR responses on other ports at some of these less populated sub-spaces (not shown in Table 2). The 20.31 network looks interesting due to the smaller response rate and for those who think in binary numbers, the 31 byte belongs more with block (a) than block (b).

For a rough calculation, we can count 60.4 (60 + 0.4) networks in Table 2, where all of the networks showing less than 300 responses are represented as the fractional count of 0.4. These networks account for about 23.6% (60.4 / 256) of the address space. This estimate is very close to the values shown in Table 1.

3. Response time and CSC network structure.

Table 2 (right) may be processed to show statistically significant differences in CR response time among CSC 20.y/16 sub-networks, especially comparing the lower (top) and higher values (bottom). Although the absolute differences are most often less than 10 msecs, their presence is clearly detectable. If you lost your statistics book or never had one, here is a quick rule of thumb. With these sample sizes, a statistically significant difference is seen when the smaller value plus its SE (standard error) is less than the greater value minus its SE.

Discussion

This paper has addressed two general questions.

First, why does CSC issue connection refused (CR) responses to the internet? Perhaps we will never know because, as of this writing, CSC seems to want to stand mute to queries from the author. There is always the speculation that somebody in CSC thought that connection refused responses somehow enhanced security of their networks. If this is the thinking, it may be noted that many network administrators do not share that point of view and prefer that their networks stand mute by firewall rejection of unwelcome connection requests.

Second, given this availability of information from CSC, what can we learn from it?

1. The IP addresses of specific machines or of those using virtual addressing technology can be completely listed. This simple fact is the basis for considering this practice by CSC and others as a network vulnerability, since a variety of denial of services attacks require nothing more than the target IP address.

The percent of addresses emitting CR responses to connection requests for specific ports (Table 1) was essentially identical to percent of CR responsive address subspaces (Table 2) in the 256 ranges tested (20.0 - 20.255). This result suggests internal consistency in the data set and acceptable randomness in address selection, but is not what would be expected in the general case.

One might expect in the general case that x.y/16 subspaces would show considerable variability concerning how many computers appear to be active and on-line in a study like this. Further, it is reasonable to assume that operators would assign different tasks which may have quite different work loads to their sub-networks. Some of this expected variability is seen in Table 2 and further docomented in other unpublished data for the 20/8 prefix.

Nonetheless, the overall picture for CSC's 20/8 subspaces (Table 2) is quite unusual. Why? The observed probabilities expressed by the percents of refused requests (Table 1) may be viewed as the product of two probabilities: (1) the proportion of 20.y/16 prefixes in use multiplied by (2) the average proportion of address space used in the active 20.y/16 networks. For example, if half of 20.y/16 networks each used an average of half of their address capacities, we would have 0.5 x 0.5 = 0.25 or a 25% CR rate. The "internal consistency" discussed above actually suggests that the CSC data may be unusual because this latter probability appears to be unity (one), suggesting that all of the over 64,000 addresses in each active subspace are responsive for sixty of the networks (Table 2).

For any organization, no matter how large, to put 60 x.y/16 networks in operation utilizing all of the address capacity is an enormous task. Coupled with the fact the CR responses coming out of CSC's 20/8 address space seem to be intentionally configured to specific ports, it may be more credible to assume that there is in fact substantial variability in the usage of the 60 networks, and that a program or device, perhaps for each network, issues a CR packet for certain ports for any destination address in the connection request regardless of whether or not there is a specific machine on-line at that destination address. In short, we may be witnessing a case of network spoofing by CSC, which would be considered as quite clever and a buy indicator for its stock.

Other aspects of the data collected suggest that real network information is being revealed by the CR responses, at least in part.

2. The specific usage of the allocated address space indicated blocks of sub-networks at CSC which is suggestive of some degree of difference in functionality, if only by behavioral criteria. People seem to use number ranges to identify categories of items. If this common behavior is applicable in the CSC network, we have been provided with an "outline" of some of its activities. Thus, the blocks may correspond to qualitatively different activities and could be individually tracked.

3. The port numbers that specifically elicit CR responses are quite specific and therefore may provide a speculative window into the kinds of activities and software used and their most likely vulnerabilities. The observed dependence on port number strongly suggests that the CR responses were specifically configured as they were found and reported above. The motive to do this is unclear, to say the least.

4. Repeated assessments of address space usage could be used to graph over time the size of a particular network. This item and others listed below could be used by stock analysts to see if management projections of growth agree with independently gathered empirical data. This illustrates the "buy or sell" relevance of this kind of study.

5. Repeat testing of specific address sets can document resource usage over time. For example, in those cases where computers are simply turned off when workers go home, no CR responses (or other types of internet responsiveness) would be obtained. Thus, an analyst could track work activity in an organization associated with an IP address range, over time (days, weeks, etc) or by hour of the day. Noteworthy changes in activity may be interpreted as indicating some significant event in the organization. If the activity level changes, maybe it is time to buy the stock or sell it.

In the case of CSC, a remarkable stability was found. Namely, the addresses responded to the repeated latency measurements (four ports per address) like clockwork, suggesting that all of the corresponding hardware is powered on and on-line 24/7. Depending on context, this could be an indicator to buy (they are very busy) or to sell (they are wasting electricity).

6. Repeat testing might also assess hardware maintenance. The lowest value seen in the sessions measuring latencies was 99.71% from CSC addresses already logged as being responsive previously. Most of the values were much closer to 100%. The author finds these observations to be remarkable. A lot of people deserve a lot of thanks and credit. In Net Census studies, there is no trying again. A single SYN packet is sent; there is a response or not and that is the result. It is almost unbelievable that such a complex communications process could be demonstrably functioning at essentially 100% efficiency. Regarding CSC, we would have to rate their part of this process at 100%. The hardware maintenance chief merits a bonus. True, 0.3% or less apparent loss of packets could be anybody's fault and may indicate a few machine failures somewhere.

7. Significant differences in CR response time were found among the sub-networks. A likely explanation for longer response times is that packets of identifiable sub-networks traverse more steps within the CSC system. An alternative explanation might be that the sub-networks are located in different locations using different internet gateways. The rather small differences seen in this case suggest, however, but not conclusively so, that all of this hardware is located in one facility.

A more precise analysis of the latencies might reveal how many network steps are between prefixes listed in Table 2 and the general internet gateway(s). Alas, to be conservative, the SEM's in Table 2 were rounded up. Next time, they should be presented with at least two significant figures (e.g., 1.7 instead of 2 msec) to better document where the statistically significant differences are.

This tutorial has used well known ideas to explore how much can be learned from CR responses from a network. This may be most important in cases like CSC where CR responses may be the only information available. It has been seen that rather specific data can be obtained re port numbers, IP addresses and response latencies. It should also be noted that this information does not establish that CSC is directly operating these computers in the 20/8 address space. IANA does state that this space is allocated to CSC, as the 55/8 space is allocated to Boeing, although one finds that 55/8 is mostly populated with .mil domains.

As with many Net Census findings, one might keep in mind that internet behavior, like human behavior, can be difficult to interpret correctly and conclusively. For example, the absence of responses at selected addresses (those not listed in Table 2) may reflect the absence of on-line machines or simply that any machines at those addresses chose not to repond.

Summary

In a survey of x/8 IP address spaces, Computer Science Corporation (CSC) was unique in showing only one category of internet responsiveness, TCP connection refused (CR) error packets [1]. It was found that port number and IP address information in these packets issued by CSC in response to connection requests, plus measurement of the response times and percent of requests refused, could be used to describe the internal structure of this 20/8 address space. Specifically, the CR responses allow description of blocks of sub-networks and permit tracking of organization function and development over time. The port numbers provide basis to develop speculation on what kinds of activities and even what software might be employed.

All of this information could assist hostile parties in attacking CSC managed systems. Denial of service efforts are more likely to be successful if specific IP addresses are known. Selection among these addresses can further target such hostile behavior, as provided by the blocks of networks which are identifiable. Successful speculation associating the observed patterns of port numbers eliciting CR responses with likely software choices could assist an attacker in choosing known exploits in that software to pursue malicious activity.

These considerations bring us full circle to the original question: Why are CR packets issued by 20/8 addresses presumably managed by CSC? Although this question remains unanswered, the author has no reason to suppose that CSC is anything but a reputable and outstanding organization. With over 170 million shares selling in the upper 30s, its stock price indicates that many people believe CSC is doing a good job. Of course, if we find that CR responses from CSC managed computers suddenly become an "extinct species," this could be a buy indicator.

References

[1] Doctor Electron, "A TCP Ping Reveals Hosts by Connection Refused Error", August, 2002.
[2] Doctor Electron, "Network Profiling with Randomly Sampled Data", August, 2002.
[3] Doctor Electron, "Internet Host Behavior Statistics by Port", August, 2002.
[IANA] Internet Assigned Numbers Authority, "Internet Protocol in v4 Address Space", December, 2001.
[RFC 1519] Fuller, V. et al. "Classless Inter- Domain Routing (CIDR): an Address Assignment and Aggregation Strategy", September, 1993.
[RFC 1700] Reynolds, J. K., and J. Postel, "ASSIGNED NUMBERS", October, 1994.

Copyright © 2002 Global Services
Original publication: September 4, 2002

Back to Net Census