naver.HOW data lake by AI

[카테고리:] 미분류

  • Network Behavior Analysis of211.57.200.57

    지금은 몇 주째 죽어있는 지난 WP 서버… 돈 날렸다.

    Executive Summary
    This white paper documents the results of packet-level tests and analysis conducted on the target
    server 211.57.200.57. Using tools such as tcpdump, nmap, and hping3, we confirmed that the host
    is alive but selectively drops traffic on specific ports. The findings strongly indicate port-based
    filtering, either by the server’s local firewall (e.g., UFW/iptables) or by an upstream firewall device.
    Evidence collection includes packet traces, command outputs, and comparative scans against a
    control host (103.125.217.113).
    Methodology

    1. SYN packet capture using tcpdump. 2. Port scanning with nmap (-sS, -Pn, –reason,
      –packet-trace). 3. Direct packet probing using hping3 for SYN behavior analysis. 4. Control tests
      against 103.125.217.113 for comparison. 5. Analysis of responses (SYN/ACK, RST/ACK, or no
      response) to classify port states.
      Results
      Target IP Port Response State / Interpretation
      211.57.200.57 22/tcp No Response Filtered / Dropped
      211.57.200.57 80/tcp No Response Filtered / Dropped
      211.57.200.57 443/tcp No Response Filtered / Dropped
      211.57.200.57 1000/tcp No Response Filtered / Dropped
      211.57.200.57 113/tcp RST/ACK Closed (Host Alive)
      103.125.217.113 22/tcp SYN/ACK Open
      103.125.217.113 23/tcp RST/ACK Closed
      103.125.217.113 113/tcp RST/ACK Closed
      Interpretation
      The server (211.57.200.57) responds to TCP probes on port 113 with RST/ACK, proving that the
      host is alive and reachable. However, for ports 22, 80, 443, and 1000, no response is received,
      indicating selective filtering or dropping. This behavior is consistent with firewall policies configured
      either locally (UFW/iptables) or on an upstream device (ISP/IDC firewall). Without direct access to
      the server, the exact location of filtering cannot be confirmed, but the selective nature of responses
      rules out a host-down scenario.
      Conclusion
      Evidence shows that server 211.57.200.57 is alive but ports 22, 80, and 443 are filtered. Port 113
      being closed confirms host activity. These findings suggest that the administrator or upstreamprovider is intentionally filtering traffic on critical service ports. Additional verification, such as
      tcpdump run on the target server itself, would be required to confirm whether the filtering is
      performed by the server’s internal firewall (e.g., UFW) or by an external firewall.