File: ike-backoff-patterns

package info (click to toggle)
ike-scan 1.7-3
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 4,928 kB
  • ctags: 542
  • sloc: ansic: 5,931; sh: 3,589; makefile: 72
file content (172 lines) | stat: -rw-r--r-- 8,138 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
# NTA Monitor Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
#
# If this license is unacceptable to you, I may be willing to negotiate
# alternative licenses (contact ike-scan@nta-monitor.com).
#
# $Id: ike-backoff-patterns,v 1.21 2005/01/01 16:49:53 rsh Exp $
#
# ike-backoff-patterns -- Backoff patterns file for ike-scan
#
# Author: Roy Hills <Roy.Hills@nta-monitor.com>
#
# Format:
# Implementation_Name<Tab>Backoff_Pattern
#
# Implementation_Name is a descriptive name for the IKE implementation
# (and version if applicable).  Backoff_Pattern is the observed IKE
# retransmission backoff pattern for this implementation.
#
# The backoff pattern is specified as a comma-separated list of backoff
# times in seconds.  The first number is always zero and represents the first
# packet received.  Subsequent numbers represent the expected delay in
# seconds after the previous packet.  For example, "0, 2, 2, 2" means that a
# total of four packets are sent with a delay of two seconds between each one.
#
# The numbers in the backoff pattern can be decimal numbers e.g. 1.5 for
# one and a half seconds.  You can specify up to a maximum of 6 digits
# after the decimal point (microsecond resolution), although anything
# beyond millisecond resolution is not really practical.  ike-scan uses
# a timeval struct to store the backoff pattern entries.
#
# You may also specify an per-pattern-entry "fuzz" value in milliseconds
# by appending /<fuzz> to the backoff time.  This will override the default
# fuzz for that time only.  The fuzz value specifies how close the specified
# time must be to the observed time for a match.  E.g. a fuzz of 0 means that
# the observed timing must match exactly and a fuzz of 1000 means that the
# times must be within one second of each other (1000ms = 1sec).  If no
# per-pattern-entry fuzz value is specified then a default fuzz value of 100ms
# (defined by DEFAULT_PATTERN_FUZZ in ike-scan.h) is applied.  This default
# value may be changed with the --fuzz option to ike-scan.
#
# Lines beginning with '#' and blank lines are ignored.
#
# The input format is quite strict.  In particular, the separator between
# the implementation name and the backoff pattern must be a single TAB and
# not a space, multiple tabs or spaces, or a mixture of tabs and spaces.
#
# If you have problems adding entries, run ike-scan as:
# ike-scan -v -v -v -o <any-target>
# To dump the backoff pattern table.
#
# You are encouraged to send comments, improvements or suggestions to
# me at ike-scan@nta-monitor.com.
# In particular, I would like you to submit any new patterns that you
# discover.  See: http://www.nta-monitor.com/ike-scan/submit.htm
# For details of how to submit new backoff patterns.
#

# Discovered by: Roy Hills, November 2002
# Observed on: Cisco 2503 running IOS 11.3(11b)T2
# Observed on: Cisco PIX (unknown model) running (unknown version)
# Note:	I've had a report of Cisco IOS 12.2(2)T having the pattern
#	0,10,10,10,10 which incorrectly matches Watchguard Firebox.
#	Thanks to Adam Scott for this observation.
Cisco IOS / PIX	0, 15, 15

# 1st Pattern Discovered by: Roy Hills, November 2002
# Observed on: Cisco VPN Concentrator 3005 running (unknown version)
# Observed on: VPN 3000 Concentrator Version 3.6.3.Rel Oct 04 2002 16:23:00
# 2nd Pattern Discovered by: Guy Widloecher, March 2003
# Observed on: Cisco VPN 3005 Concentrator Version 3.5.2
Cisco VPN Concentrator	0, 8, 8, 8
Cisco VPN Concentrator	0, 8, 8

# Discovered by: Roy Hills, December 2002
# Observed on: Checkpoint Firewall-1 4.0 SP7 on Windows NT Workstation 4.0 SP6a
Firewall-1 4.0	0, 3, 3, 3, 3, 6, 6, 6, 6, 6, 6, 6

# Discovered by: Roy Hills, November 2002
# Observed on: Checkpoint Firewall-1 4.1 SP6 on Windows NT Server 4.0 SP6a
# Observed on: Checkpoint Firewall-1 NG base on Windows NT Server 4.0 SP6a
# Observed on: Checkpoint Firewall-1 NG FP2 on Windows NT Server 4.0 SP6a
Firewall-1 4.1/NG	0, 2, 2, 2, 2, 2, 2, 4, 4, 4, 4, 4

# Discovered by: Roy Hills, December 2002
# Observed on: FreeS/WAN 1.9 on Debian Linux 2.2r7 (Potato) with 2.2.17 Kernel
Linux FreeS/WAN	0, 10, 20

# Discovered by: Roy Hills, November 2002
# Observed on: Nortel Contivity 2500, OS version V4.06-120
# Observed on: Nortel Contivity 1600, OS version V3.60-45
Nortel Contivity	0, 16, 16, 16

# Discovered by: Roy Hills, December 2002
# Observed on: Watchguard Firebox 700 v6.1
# Observed on: Gnat Box (version unknown)
# Note that the Gnat box has a much larger variance than the watchguard, but
# they are both essentially the same pattern.
Watchguard Firebox or Gnat Box	0, 10/1000, 10/1000, 10/1000, 10/1000, 10/1000

# Discovered by: Roy Hills, December 2002
# Observed on: Windows 2000 Server SP1
# Observed on: Windows XP Pro SP1
# Note: Backoff fingerprinting cannot distinguish between 2000 and XP, but
#	vendor IDs can.
Windows-2000 or XP	0, 1, 2, 4, 8, 16, 32

# 1st pattern Discovered by: Thomas Walpuski, Jan 2003
# Observed on: Various OpenBSD systems running isakmpd
# 2nd pattern discovered by: Marco Ivaldi <raptor@mediaservice.net>, Jan 2003
# Observed on: OpenBSD 3.2
# Observed on: FreeBSD 4.7-Stable with isakmpd-20021118 and OpenBSD 3.1
# Note: OpenBSD isakmpd is highly configurable, so it's difficult to get one
#       pattern which will match all possible backoff pattern.
#       Hakan Olsson has informed me that the actual algorithm used by isakmpd
#	is "5 + 2*<retrans#>" which can be found in transport.c, ca line 310.
#	Both patterns match this algorithm: the first with the default
#	retransmission limit of 3 and the second with retransmits set to 5.
#	It has also been pointed out that isakmpd can run on many platforms
#	other than FreeBSD and OpenBSD, so the inclusion of these OS names in
#	the pattern are misleading.  However, I'm leaving the names unchanged
#	in case someone relies on them in the program output.
FreeBSD/OpenBSD-isakmpd	0, 7, 9, 11
FreeBSD/OpenBSD-isakmpd	0, 7, 9, 11, 13, 15

# Discovered by: Paul van Maaren, January 2003
# Observed on: FreeBSD-4.7 STABLE with racoon-20021120a
FreeBSD-racoon	0, 20, 20, 20, 20, 20

# Discovered by: Iain Lewis, February 2003
# Observed on: Netscreen 500
netscreen	0, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4

# Discovered by: Doug Monroe, January 2003
# Observed on: Watchguard SOHO v5.1.7
# Note:	There is quite a bit of variation with this pattern, hence the
#	per-entry fuzz specifications.
watchguard-soho	0, 1/500, 9.5/3000, 1.5/2000, 9.5/3000, 1.5/2000, 9.5/3000, 1.5/2000, 9.5/3000, 1.5/2000, 9.5/3000, 1.5/2000

# Discovered by: Christopher Harrington, February 2003
# Observed on: SonicWall Pro 200
# Note:	There is quite a bit of variation with this pattern, hence the
#	per-entry fuzz specifications.
sonicwall-pro	0, 6.5/1500, 9/1000, 13/2000, 22/3000

# Discovered by: Roy Hills, December 2003
# Observed on: Windows 2003 Server Enterprise Edition, Intel platform
# Note: The 2nd packet delay has been observed to vary between 0.5 and 1.5 sec.
#       Otherwise, this is the same pattern as Windows 2000.  Note that if the
#	Win-2003 server happens to pick a delay of around 1 sec for the 2nd
#	Packet, then ike-scan will mis-identify as Win-2000.  Vendor ID
#	payloads can distinguish Win-2003 from Win-2000 in any event, but
#	that's another story.
Windows-2003	0, 1/600, 2, 4, 8, 16, 32

# Discovered by: Bob Davies, March 2004
# Observed on Lynksys router, Unknown version
Lynksys	0, 15/500, 15, 15