A TCP Ping Reveals Hosts by Connection Refused Error

By Doctor Electron

Network analysts use replies to the ICMP echo request (ping) packets to assess the presence of on-line hosts. However, many networks have firewalls which refuse to reply to ping. An established TCP connection also demonstrates that the remote host is on-line, but there are the disadvantages that the remote host must have ports listening for connections usually associated with some service, like a web page or ftp server, and that the analyst already has information about what services are offered by the host.

This preliminary report illustrates the use of the TCP [RFC 793] connection refused error as a method to discover and demonstrate the presence of on-line hosts in a network. When a client program sends a TCP SYN packet to request a connection, a reply packet with the ACK and RST flags set, according to examination of captured packets, is classed as a connection refused error. The msec response latency for receipt of this error packet is generally similar to that required for establishing a connection concerning the first two steps in the handshake procedure.

An interesting result in this preliminary data is that certain networks may be mapped and described by connection refused error when ICMP echo requests and established TCP connections fail to reveal information. A later report will analyze this data more rigorously from a statistical point of view.

Methods

Random sampling was used to allow estimation of population statistics. Four bytes define a "v4" IP address. Valid IP addresses were randomly generated in a range from 1.0.0.1 to 219.255.255.254 [RFC 1466, RFC 1518, RFC 1519].

Several methods were used to determine the presence of a host at a random address as reported previously [1]. In addition, connection refused error (WSA error 10061) was logged. To summarize, four types of internet behavior were observed:

1. Single packet ICMP echo requests [RFC 792] elicited echo responses from the randomly selected host which will be denoted "Ping" hosts in these articles.

2. A different host revealed by its response to the ping packet with any error report such as host unreachable or TTL expiration which will be called "ICMP Error" hosts.

3. TCP connection to ports commonly used for common services such as FTP, SSH, Telnet, SMTP, HTTP, NetBios (port 139) and HTTPS [RFC 1700].

4. Connection refused errors.

The author wrote the software used for data collection. Descriptions of recipients of address space allocations in Table 1 were obtained from IANA.

Results

Data collected thus far using random sampling includes 13,706 ICMP Error and 43,370 TCP responses. In general, as sampling proceeded, more than two ICMP Error reporters volunteered their IP address for each Ping (n = 5,619) response obtained from a randomly selected address. Thus far, 18,362 connection refused errors have been logged.

Table 1 shows where hosts were found. The data is organized according to internet prefixes using the X/8 notation [RFC 1519]. Each entry, 4, 6, 10, 12, etc, denotes an X/8 address space, which includes all addresses X.0.0.1 to X.255.255.254. This organization of the data according to X/8 prefixes illustrates the kind of results which can be obtained. Network analysts may use similar procedures to describe any IP address prefix for any size network.

Table 1: IPv4/8 Addresses Where Hosts Were Found
  X/8 Description                     Ping  Error  TCP  10061 Total
004/8 Bolt Beranek and Newman Inc.      19   123    52    85   279
006/8 Army Information Systems Center    0     0    14     1    15
010/8 IANA-Private Use                   0   129     1     0   130
012/8 AT&T Bell Laboratories            99   296   180   343   918
015/8 Hewlett-Packard Company            1     0     0     0     1
018/8 MIT                                2     3     4    28    37
020/8 Computer Sciences Corporation      0     0     0   555   555
024/8 ARIN-Cable Block                 164    41   347   630  1182
032/8 Norsk Informasjonsteknologi        4     5     9     3    21
033/8 DLA Systems Automation Center      0     4     4     2    10
035/8 MERIT Computer Network             1     8    15     4    28
038/8 Performance Systems Internat'l     6    27    11     9    53
043/8 Japan Inet                         7     1     9    50    67
044/8 Amateur Radio Digital Com.         0     0     0     1     1
051/8 Dept. of Social Security of UK     0     0     2     0     2
052/8 E.I. DuPont de Nemours and Co      1     0     0     0     1
053/8 Cap Debis CCS                      0     1     0     0     1
055/8 Boeing Computer Services .mil      0     0  1948  1078  3026
057/8 SITA (French)                      3     6     0     4    13
061/8 APNIC-Pacific Rim                131   127   456   690  1404
062/8 RIPENCC-Europe                    74   243   410   279  1006
063/8 ARIN                              95   262   459   225  1041
064/8 ARIN                             159   238  1573   483  2453
065/8 ARIN                             107   206   660   421  1394
066/8 ARIN                             132   123  1015   545  1815
067/8 ARIN                              24   188   100   203   515
068/8 ARIN                              58    13    87   345   503
075/8 IANA-Reserved                      0     0     1     0     1
079/8 IANA-Reserved                      0     0     0     1     1
080/8 RIPENCC-Europe                    47    41   198   308   594
081/8 RIPENCC-Europe                     2     2    15    32    51
085/8 IANA-Reserved                      0     0     0     1     1
100/8 IANA-Reserved                      0     2     0     0     2
128/8 Various Registries                64   118   636   251  1069
129/8 Various Registries                38   116   950   205  1309
130/8 Various Registries                36   130   573   318  1057
131/8 Various Registries                25    76  3044   147  3292
132/8 Various Registries                11    43  3905   388  4347
133/8 Various Registries                 8    87   171   187   453
134/8 Various Registries                27    74   515   140   756
135/8 Various Registries                 0     4     0     0     4
136/8 Various Registries                10    15   186    68   279
137/8 Various Registries                15   105  1433   130  1683
138/8 Various Registries                 7    37   231    97   372
139/8 Various Registries                13   156   280    43   492
140/8 Various Registries                20    60   555    82   717
141/8 Various Registries                17    84   165   117   383
142/8 Various Registries                25    60   472   118   675
143/8 Various Registries                 8    40   233   131   412
144/8 Various Registries                14   223   332   125   694
145/8 Various Registries                 2    52    65    40   159
146/8 Various Registries                17    92   330   142   581
147/8 Various Registries                 3    33   814   133   983
148/8 Various Registries                14    74   132    92   312
149/8 Various Registries                 7    31    26    62   126
150/8 Various Registries                12   127   249   178   566
151/8 Various Registries                23   142   402   101   668
152/8 Various Registries                16   132   171   212   531
153/8 Various Registries                 3    10   283    23   319
154/8 Various Registries                 1    66     4     5    76
155/8 Various Registries                 9    33   713   134   889
156/8 Various Registries                 3    17    87    37   144
157/8 Various Registries                12   277   118   183   590
158/8 Various Registries                 7    78   791   150  1026
159/8 Various Registries                 7    41   399   124   571
160/8 Various Registries                10    95   207   138   450
161/8 Various Registries                 9    46   100   107   262
162/8 Various Registries                 6    21   334    37   398
163/8 Various Registries                10    50    93   189   342
164/8 Various Registries                 7    78   346    65   496
165/8 Various Registries                12    90   141    85   328
166/8 Various Registries                12    66    54    46   178
167/8 Various Registries                 7    37   232   146   422
168/8 Various Registries                17   141   191    81   430
169/8 Various Registries                 3    54    38    38   133
170/8 Various Registries                 3    46    80    48   177
171/8 Various Registries vaskapu .hu     3     6   115     9   133
172/8 Various Registries aol.com       106   100    18   861  1085
179/8 IANA-Reserved                      0     0     0     1     1
188/8 IANA-Reserved (is RIPE)            0     1     0     0     1
192/8 Various Reg. - MultiRegional      34   309   154    96   593
193/8 RIPENCC-Europe                    65   347   346   165   923
194/8 RIPENCC-Europe                    80   450   359   163  1052
195/8 RIPENCC-Europe                   137   631   586   249  1603
196/8 Various Registries                12    35    95    31   173
198/8 VariousRegistries                 49   272   344   143   808
199/8 ARIN-North America                48   129   212   114   503
200/8 ARIN-Central and South America   117   354   425   248  1144
202/8 APNIC-Pacific Rim                141   603   516   216  1476
203/8 APNIC-Pacific Rim                171   479   663   265  1578
204/8 ARIN-North America                92   255   512   117   976
205/8 ARIN-North America                60   203   373    80   716
206/8 ARIN-North America               138   433   516   139  1226
207/8 ARIN-North America               184   385   836   250  1655
208/8 ARIN-North America               196   330   791   220  1537
209/8 ARIN-North America               386   381  1945   330  3042
210/8 APNIC-Pacific Rim                256   531   911   351  2049
211/8 APNIC-Pacific Rim                502   417  1489   824  3232
212/8 RIPENCC-Europe                   194   579   974   297  2044
213/8 RIPENCC-Europe                   233   388   556   305  1482
214/8 US-DOD                             0     0     2     1     3
215/8 US-DOD                             0     0     2     3     5
216/8 ARIN-North America               454   428  2391   526  3799
217/8 RIPENCC-Europe                   177   180   556   261  1174
218/8 APNIC-Pacific Rim                 63    33    31   526   653
219/8 APNIC-Pacific Rim                 15     1     1   102   119
Column totals are random sample size  5619 13706 43370 18362 81057
Legend: Ping, ICMP echo replies. Error, ICMP echo request error reports by "volunteer" hosts. TCP, established connections mainly with ports 21, 22, 23, 25, 80, 113, 139 and 443. 10061, connection refused error reports. The Ping, Error and TCP columns of data were gathered in another study [1]. At this writing, 219/8 is below its sample size quota.

Table 1 shows that connection refused error was the only method used which revealed the presence of remote hosts in sampling of the 20/8 (n = 555), 44/8, 79/8, 85/8 and 179/8 address spaces.

Discussion

The data, based on random sampling in most of IPv4 address space, showed that TCP connection refused error may be a useful method to discover and describe network structures. The address space allocated to Computer Sciences Corporation (CSC) at 20/8 is an excellent case in point.

The utility of the connection refused responses may be summarized:

1. Reveal networks and individual hosts that other methods may miss. Indeed, the CSC network has not yet been documented by the ICMP and TCP connection data based on random sampling.
2. Assist in mapping network components and structures. In all of those cases in Table 1 where the connection refused responses accompany responses in other categories listed, the specific addresses may be (and in this study, because of the random sampling, almost always were) different in each of the categories (columns) shown. Thus, a more complete picture and assessment of the machines or virtual addresses in a particular network are obtained.
3. Knowledge of which ports are listening (open) on which machines is less important or perhaps not needed at all. That is, our results thus far indicate that the typical active host may refuse connections regardless of the port specified in the connection request.

Connection refused responses allow the mapping of networks and may therefore be viewed as a vulnerability regarding the privacy of network resources. The general interpretation of this type of on-line behavior, then, is as an indicator of insecured computers. The ratio of observed to expected connection refused responses is highest for CSC, the present undisputed world champion.

In this CSC network, connection refused errors are routinely returned only for certain ports (author, unpublished data), such as 21 (ftp), 22 (ssh) and 443 (https). Remarkably, about 24% of random 20.x.y.z addresses return these TCP error packets providing an accurate measurement of the corresponding total CSC on-line hardware. On the other hand, other ports are most often silent. That is, TCP SYN packets requesting a connection with ports like 25 (smtp) and 80 (http) are ignored.

This would seem to be the inverse of what might be expected in a secure network. Namely, it is exactly the ports where authentication and security is usually of greatest concern (21, 22 and 443) that are giving out the IP addresses of the machines that presumably have the most private information. In contrast, little or no authentication is typically required to establish a TCP connection for ports 25 and 80, and it might appear that CSC may have greater security installed for machines that might run these services.

Finally, in Net Census research, the least is assumed about the remote hosts. In particular, it is not assumed that responses will follow specifications such as set forth in the RFC's. This study reports what actually occurs, regardless of what is supposed to occur according to specifications and generally accepted rules.

References

[1] Doctor Electron, "Computers Connected to IPv4 Address Space", June, 2002.
[IANA] Internet Assigned Numbers Authority, "Internet Protocol in v4 Address Space", December, 2001.
[RFC 792] Postel, J., "Internet Control Message Protocol", September, 1981.
[RFC 793] Information Sciences Institute, Univ. of Southern Calif., "Transmission Control Protocol -- Darpa Internet Program Protocol Specification", September, 1981.
[RFC 1466] Gerich, E., "Guidelines for Management of IP Address Space", May, 1993.
[RFC 1518] Rekhter, Y., and T. Li, "An Architecture for IP Address Allocation with CIDR", September, 1993.
[RFC 1519] Fuller, V. et al. "Classless Inter- Domain Routing (CIDR): an Address Assignment and Aggregation Strategy", September, 1993.
[RFC 1700] Reynolds, J. K., and J. Postel, "ASSIGNED NUMBERS", October, 1994.

The reader is welcome to contact Global Services for more specific data from our present databases or further data collection regarding specific IP address prefixes.

Copyright © 2002 Global Services
Original publication: August 10, 2002

Back to Net Census