지금은 몇 주째 죽어있는 지난 WP 서버… 돈 날렸다.
Executive Summary
This white paper documents the results of packet-level tests and analysis conducted on the target
server 211.57.200.57. Using tools such as tcpdump, nmap, and hping3, we confirmed that the host
is alive but selectively drops traffic on specific ports. The findings strongly indicate port-based
filtering, either by the server’s local firewall (e.g., UFW/iptables) or by an upstream firewall device.
Evidence collection includes packet traces, command outputs, and comparative scans against a
control host (103.125.217.113).
Methodology
- SYN packet capture using tcpdump. 2. Port scanning with nmap (-sS, -Pn, –reason,
–packet-trace). 3. Direct packet probing using hping3 for SYN behavior analysis. 4. Control tests
against 103.125.217.113 for comparison. 5. Analysis of responses (SYN/ACK, RST/ACK, or no
response) to classify port states.
Results
Target IP Port Response State / Interpretation
211.57.200.57 22/tcp No Response Filtered / Dropped
211.57.200.57 80/tcp No Response Filtered / Dropped
211.57.200.57 443/tcp No Response Filtered / Dropped
211.57.200.57 1000/tcp No Response Filtered / Dropped
211.57.200.57 113/tcp RST/ACK Closed (Host Alive)
103.125.217.113 22/tcp SYN/ACK Open
103.125.217.113 23/tcp RST/ACK Closed
103.125.217.113 113/tcp RST/ACK Closed
Interpretation
The server (211.57.200.57) responds to TCP probes on port 113 with RST/ACK, proving that the
host is alive and reachable. However, for ports 22, 80, 443, and 1000, no response is received,
indicating selective filtering or dropping. This behavior is consistent with firewall policies configured
either locally (UFW/iptables) or on an upstream device (ISP/IDC firewall). Without direct access to
the server, the exact location of filtering cannot be confirmed, but the selective nature of responses
rules out a host-down scenario.
Conclusion
Evidence shows that server 211.57.200.57 is alive but ports 22, 80, and 443 are filtered. Port 113
being closed confirms host activity. These findings suggest that the administrator or upstreamprovider is intentionally filtering traffic on critical service ports. Additional verification, such as
tcpdump run on the target server itself, would be required to confirm whether the filtering is
performed by the server’s internal firewall (e.g., UFW) or by an external firewall.
답글 남기기