July 12th, 2007, 08:29 PM
unusual traffic outbound and TVUPlayer
I've just started the forensics on this, but wanted to see if anyone had a similiar experience with this software... A user downloaded/installed/used a TV viewer (http://tvunetworks.com/) -- the our IDS guy received a report from SourceFire that there was an unusually large OUTbound data stream... Basically, during the timeframe the user noted a process still running that was associated with this application, anywhere from 113 - 163 megs had been downloaded (the TV data stream -- expected) but at the same time about 1.5 gigs of data was outbound (NOT expected!). All done over the course of a few hours.
The destination of the data streams was to seven different IPs. IT troops claim the system is free of known viruses and bad-ware. We don't know yet what data was actually outbound; only have the SourceFire report to run on so far. Yes, lots to do yet (ports, dest lookups, etc.).
Here's a summary:
MB MB rate nslookup known hostname
sent recv hrs KB/s hostname
1435 163 1 36.1 NEW ip72-196-228-82.dc.dc.cox.net ==>NEW user's_computer
1519 111 0 46.3 NEW cpe-075-182-097-243.nc.res.rr.com ==>NEW user's_computer
1469 116 0 66.6 NEW d207-216-101-241.bchsia.telus.net ==>NEW user's_computer
1443 129 0 71.0 NEW 220.127.116.11 ==>NEW user's_computer
1492 118 0 71.6 NEW c-71-63-102-62.hsd1.va.comcast.net ==>NEW user's_computer
1437 112 0 81.7 NEW din-15-189-235-87.ipcom.comunitel.net ==>NEW user's_computer
1539 113 0 110.7 NEW 18.104.22.168 ==>NEW user's_computer
Ideas? Any Experience with TVU?
July 12th, 2007, 08:47 PM
I don't know the technology, but this is what is on their site:
So I guess it is somewhat like being a "seeder" in bittorrents? You are giving resource as well as receiving?
TVU uses a new broadcast technology called Real-Time Packet Replication. With this technology, all the viewers who are watching a channel at the same time are cooperating to give everyone the best possible signal.
TVU's application does not create any new files on your hard disk because you're watching live TV.
July 12th, 2007, 08:50 PM
Sounds right nihil. Saving bandwidth for the company providing, stealing it from the customers. :-p
July 12th, 2007, 09:28 PM
you beat me to it!
dang, you beat me to the punch -- I just saw that...!
I'm only assuming that the user did NOT install the broadcasting application; or even if he did, the basic (free) service may still do the sharing thingy. We do have some pretty big pipes, it's possible that the system took advantage of it...
Mystery (mostly) solved. The IPs connecting to our guy all appear to be from DHCP major providers, and the data amount is all almost the same amount (the same program?) -- so it's all kinda consistant.
July 12th, 2007, 09:38 PM
As I read it, they have viewers who are also providing resources, and "broadcasters" who are providing the original content?
He wouldn't need the broadcasting application as far as I can tell.
It seems to be a way of avoiding the bittorrent problem of people just leeching off the feeds?
July 14th, 2007, 07:39 PM
is that legal to steal the bandwith from the customers?
or is it either let us steal yours, or dont use the program?
July 16th, 2007, 02:15 PM
There will probably be some small print in the program license somewhere that the user will agree to by downloading and installing the program..
The fact that he was able to download it AND install it says something about the company......they are big enough to have an 'IDS guy' but not sensible enough to restrict their workstations...
July 16th, 2007, 02:32 PM
Yeah! that as well
Actually you would need to be a bit more protective, as you don't actually need the downloadable application:
I guess a lot would depend on what your work requirements were, but I think that a lot of environments could live without Windows Media Player?
Alternately, you can watch our featured channels in your web browser on the Channels
July 16th, 2007, 04:14 PM
open-ness of our network
Agree on the need to lock down more, but I've got one word for ya: university. Need I say more...?
July 16th, 2007, 04:30 PM
read the fine print
omg nokia i love your fricking signature! hahahaha
Drugs have taught an entire generation of kids the metric system.