#20 Declined

LoadBalance detector

  1. thrapt

Uses a couple of techniques to identify sites using load balancing.

1) DNS round-robin 2) HTTP Server and Dates differences 3) IP TTL and TCP Window size

I don't think I saw all this techniques together in a single product but my memory is not that good either.

Comments (14)

  1. thrapt author

    Just tested with OS X and got problems crafting the packets for the TCP/IP test. I'll try to fix it but I don't really know what's going on. Works pretty well with Linux

    1. Tim Tomes repo owner

      I'm all OS X. Let's get it fixed. I'll take a look at it if I get some time. Do you have a resource for these techniques? SANS SEC542 has some cool ideas f how to tackle this as well. In fact, I had planned on writing a module to do just this, so I'm pumped that you did it.

      1. thrapt author

        The DNS technique is pretty well known. The HTTP method I read an article somewhere, can't remember, but then I found a tool that does both: LBD by Stefan Behte (http://ge.mine.nu/code/lbd). The TCP/IP header I heard about (and then tested it) in SANS560... or was a friend of mine that did SANS540 and told me about... man... I need some vitamins or something...

        1. Tim Tomes repo owner

          Here are some other ideas of how to detect load balancers after making a few requests:

          1. URL analysis
          2. Time stamp analysis
          3. Last-modified header values comparison
          4. Load Balancer cookies
          5. HTTPS differences
          6. HTML discrepancies
          1. thrapt author

            I'm having some doubts about these methods:

            1. URL analysis: It's not generating good results. I only saw a couple of positives and they were all false
            2. Time stamp: This one I didn't understand
            3. Last-modified: OK
            4. Load Balancer cookies: We need a big list of those. I only know a few
            5. HTTPS differences: I suppose you mean to check certificates and verify differences?
            6. HTML discrepancies: Lots of false positives, mainly in dynamic sites
            1. Tim Tomes repo owner
              1. You make several requests, timing the response time, then check the time stamps to see if any of the responses were off of the expected timing pattern. If one or more responses is a little off on timing, it would show that a load balancer is in place.

              2. Yep.

              I agree with you on the rest as well. I'm good with whatever works. I'll leave it up to you.

            2. Brendan Coles
      2. thrapt author

        I'm testing in a windows box right now. Getting the same bad results. Apparently the SO is not allowing me to set the IP header. I'll keep digging...

            1. Tim Tomes repo owner

              What about implementing some of the things i mentioned above? Should only be a matter of making several requests and analyzing the responses for differences.

                  1. thrapt author

                    You know when people say that backups are very important... well, they are. Specially when you don't have them...

                    My file server had a major hardware failure, lost a very large chunk of work. I'm still trying to put the pieces together. I'll try to see if I still have this file.