unusual traffic outbound and TVUPlayer
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: unusual traffic outbound and TVUPlayer

  1. #1
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    unusual traffic outbound and TVUPlayer

    I've just started the forensics on this, but wanted to see if anyone had a similiar experience with this software... A user downloaded/installed/used a TV viewer (http://tvunetworks.com/) -- the our IDS guy received a report from SourceFire that there was an unusually large OUTbound data stream... Basically, during the timeframe the user noted a process still running that was associated with this application, anywhere from 113 - 163 megs had been downloaded (the TV data stream -- expected) but at the same time about 1.5 gigs of data was outbound (NOT expected!). All done over the course of a few hours.

    The destination of the data streams was to seven different IPs. IT troops claim the system is free of known viruses and bad-ware. We don't know yet what data was actually outbound; only have the SourceFire report to run on so far. Yes, lots to do yet (ports, dest lookups, etc.).

    Here's a summary:

    MB MB rate nslookup known hostname
    sent recv hrs KB/s hostname

    1435 163 1 36.1 NEW ip72-196-228-82.dc.dc.cox.net ==>NEW user's_computer
    1519 111 0 46.3 NEW cpe-075-182-097-243.nc.res.rr.com ==>NEW user's_computer
    1469 116 0 66.6 NEW d207-216-101-241.bchsia.telus.net ==>NEW user's_computer
    1443 129 0 71.0 NEW 79.178.24.103 ==>NEW user's_computer
    1492 118 0 71.6 NEW c-71-63-102-62.hsd1.va.comcast.net ==>NEW user's_computer
    1437 112 0 81.7 NEW din-15-189-235-87.ipcom.comunitel.net ==>NEW user's_computer
    1539 113 0 110.7 NEW 66.186.178.140 ==>NEW user's_computer

    Ideas? Any Experience with TVU?

    Thanks!
    Miguel

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi Miguel,

    I don't know the technology, but this is what is on their site:

    TVU uses a new broadcast technology called Real-Time Packet Replication. With this technology, all the viewers who are watching a channel at the same time are cooperating to give everyone the best possible signal. TVU's application does not create any new files on your hard disk because you're watching live TV.
    So I guess it is somewhat like being a "seeder" in bittorrents? You are giving resource as well as receiving?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    Sounds right nihil. Saving bandwidth for the company providing, stealing it from the customers. :-p

  4. #4
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    Exclamation you beat me to it!

    dang, you beat me to the punch -- I just saw that...!

    http://pages.tvunetworks.com/doc/whatis.html

    I'm only assuming that the user did NOT install the broadcasting application; or even if he did, the basic (free) service may still do the sharing thingy. We do have some pretty big pipes, it's possible that the system took advantage of it...

    Mystery (mostly) solved. The IPs connecting to our guy all appear to be from DHCP major providers, and the data amount is all almost the same amount (the same program?) -- so it's all kinda consistant.

    Thanks, anyway...

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi Miguel,

    As I read it, they have viewers who are also providing resources, and "broadcasters" who are providing the original content?

    He wouldn't need the broadcasting application as far as I can tell.

    It seems to be a way of avoiding the bittorrent problem of people just leeching off the feeds?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Member striker0204's Avatar
    Join Date
    Apr 2007
    Posts
    42
    is that legal to steal the bandwith from the customers?

    or is it either let us steal yours, or dont use the program?

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    There will probably be some small print in the program license somewhere that the user will agree to by downloading and installing the program..

    The fact that he was able to download it AND install it says something about the company......they are big enough to have an 'IDS guy' but not sensible enough to restrict their workstations...
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Yeah! that as well

    Actually you would need to be a bit more protective, as you don't actually need the downloadable application:

    Alternately, you can watch our featured channels in your web browser on the Channels page
    I guess a lot would depend on what your work requirements were, but I think that a lot of environments could live without Windows Media Player?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    Wink open-ness of our network

    Agree on the need to lock down more, but I've got one word for ya: university. Need I say more...?

  10. #10
    Member striker0204's Avatar
    Join Date
    Apr 2007
    Posts
    42
    read the fine print

    omg nokia i love your fricking signature! hahahaha

    Drugs have taught an entire generation of kids the metric system.
    awesomeness

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides