Musings on Database Security

As you can see here, the Python code handles a specific case of Oracle TNS layer requesting a RESEND of the last packet. I’ve noticed that no matter what client I’m trying to connect with, Oracle is always requesting a RESEND after the initial CONNECT request as you can see here (removed various ACK packets, etc.):

1. Using SQL*Plus

Packet number 13:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 63055
 Dst port: 1521
Packet Type: Connect
 Version: 01 3a
 SDU/TDU: 8192 / 32512
SERVICE_NAME: db11200
 SID: <N/A>
 HOST: slavik-laptop
 PROGRAM: sqlplus
 USER: slavik
 Payload (216 bytes):
00000   00 d8 00 00 01 00 00 00  01 3a 01 2c 0c 41 20 00    .........:.,.A .
00016   7f ff 7f 08 00 00 01 00  00 9e 00 3a 00 00 08 00    ...........:....
00032   41 41 00 00 00 00 00 00  00 00 00 00 00 00 00 00    AA..............
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 45  52 56 49 43 45 5f 4e 41    DATA=(SERVICE_NA
00096   4d 45 3d 64 62 31 31 32  30 30 29 28 43 49 44 3d    ME=db11200)(CID=
00112   28 50 52 4f 47 52 41 4d  3d 73 71 6c 70 6c 75 73    (PROGRAM=sqlplus
00128   29 28 48 4f 53 54 3d 73  6c 61 76 69 6b 2d 6c 61    )(HOST=slavik-la
00144   70 74 6f 70 29 28 55 53  45 52 3d 73 6c 61 76 69    ptop)(USER=slavi
00160   6b 29 29 29 28 41 44 44  52 45 53 53 3d 28 50 52    k)))(ADDRESS=(PR
00176   4f 54 4f 43 4f 4c 3d 54  43 50 29 28 48 4f 53 54    OTOCOL=TCP)(HOST
00192   3d 31 32 37 2e 30 2e 30  2e 31 29 28 50 4f 52 54    =127.0.0.1)(PORT
00208   3d 31 35 32 31 29 29 29                             =1521)))

Packet number 15:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 63055
Packet Type: Resend
 Payload (8 bytes):
00000   00 08 00 00 0b 00 00 00                             ........

Packet number 17:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 63055
 Dst port: 1521
Packet Type: Connect
 Version: 01 3a
 SDU/TDU: 8192 / 32512
SERVICE_NAME: db11200
 SID: <N/A>
 HOST: slavik-laptop
 PROGRAM: sqlplus
 USER: slavik
 Payload (216 bytes):
00000   00 d8 00 00 01 00 00 00  01 3a 01 2c 0c 41 20 00    .........:.,.A .
00016   7f ff 7f 08 00 00 01 00  00 9e 00 3a 00 00 08 00    ...........:....
00032   41 41 00 00 00 00 00 00  00 00 00 00 00 00 00 00    AA..............
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 45  52 56 49 43 45 5f 4e 41    DATA=(SERVICE_NA
00096   4d 45 3d 64 62 31 31 32  30 30 29 28 43 49 44 3d    ME=db11200)(CID=
00112   28 50 52 4f 47 52 41 4d  3d 73 71 6c 70 6c 75 73    (PROGRAM=sqlplus
00128   29 28 48 4f 53 54 3d 73  6c 61 76 69 6b 2d 6c 61    )(HOST=slavik-la
00144   70 74 6f 70 29 28 55 53  45 52 3d 73 6c 61 76 69    ptop)(USER=slavi
00160   6b 29 29 29 28 41 44 44  52 45 53 53 3d 28 50 52    k)))(ADDRESS=(PR
00176   4f 54 4f 43 4f 4c 3d 54  43 50 29 28 48 4f 53 54    OTOCOL=TCP)(HOST
00192   3d 31 32 37 2e 30 2e 30  2e 31 29 28 50 4f 52 54    =127.0.0.1)(PORT
00208   3d 31 35 32 31 29 29 29                             =1521)))

Packet number 19:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 63055
Packet Type: Accept
 Accepted: Yes
 Payload (32 bytes):
00000   00 20 00 00 02 00 00 00  01 3a 0c 41 20 00 7f ff    . .......:.A ...
00016   01 00 00 00 00 20 41 41  00 00 00 00 00 00 00 00    ..... AA........

2. Using JDBC Type 4

Packet number 4:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 49699
 Dst port: 1521
Packet Type: Connect
 Version: 01 36
 SDU/TDU: 8192 / 32512
SERVICE_NAME: <N/A>
 SID: db11200
 HOST: __jdbc__
 PROGRAM: JDBC Thin Client
 USER: slavik
 Payload (211 bytes):
00000   00 d3 00 00 01 00 00 00  01 36 01 2c 0e 41 20 00    .........6.,.A .
00016   7f ff 4f 98 00 00 00 01  00 99 00 3a 00 00 00 00    ..O........:....
00032   01 01 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 49  44 3d 64 62 31 31 32 30    DATA=(SID=db1120
00096   30 29 28 43 49 44 3d 28  50 52 4f 47 52 41 4d 3d    0)(CID=(PROGRAM=
00112   4a 44 42 43 20 54 68 69  6e 20 43 6c 69 65 6e 74    JDBC Thin Client
00128   29 28 48 4f 53 54 3d 5f  5f 6a 64 62 63 5f 5f 29    )(HOST=__jdbc__)
00144   28 55 53 45 52 3d 73 6c  61 76 69 6b 29 29 29 28    (USER=slavik)))(
00160   41 44 44 52 45 53 53 3d  28 50 52 4f 54 4f 43 4f    ADDRESS=(PROTOCO
00176   4c 3d 74 63 70 29 28 48  4f 53 54 3d 6c 6f 63 61    L=tcp)(HOST=loca
00192   6c 68 6f 73 74 29 28 50  4f 52 54 3d 31 35 32 31    lhost)(PORT=1521
00208   29 29 29                                            )))

Packet number 6:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 49699
Packet Type: Resend
 Payload (8 bytes):
00000   00 08 00 00 0b 00 00 00                             ........

Packet number 8:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 49699
 Dst port: 1521
Packet Type: Connect
 Version: 01 36
 SDU/TDU: 8192 / 32512
SERVICE_NAME: <N/A>
 SID: db11200
 HOST: __jdbc__
 PROGRAM: JDBC Thin Client
 USER: slavik
 Payload (211 bytes):
00000   00 d3 00 00 01 00 00 00  01 36 01 2c 0e 41 20 00    .........6.,.A .
00016   7f ff 4f 98 00 00 00 01  00 99 00 3a 00 00 00 00    ..O........:....
00032   01 01 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 49  44 3d 64 62 31 31 32 30    DATA=(SID=db1120
00096   30 29 28 43 49 44 3d 28  50 52 4f 47 52 41 4d 3d    0)(CID=(PROGRAM=
00112   4a 44 42 43 20 54 68 69  6e 20 43 6c 69 65 6e 74    JDBC Thin Client
00128   29 28 48 4f 53 54 3d 5f  5f 6a 64 62 63 5f 5f 29    )(HOST=__jdbc__)
00144   28 55 53 45 52 3d 73 6c  61 76 69 6b 29 29 29 28    (USER=slavik)))(
00160   41 44 44 52 45 53 53 3d  28 50 52 4f 54 4f 43 4f    ADDRESS=(PROTOCO
00176   4c 3d 74 63 70 29 28 48  4f 53 54 3d 6c 6f 63 61    L=tcp)(HOST=loca
00192   6c 68 6f 73 74 29 28 50  4f 52 54 3d 31 35 32 31    lhost)(PORT=1521
00208   29 29 29                                            )))

Packet number 10:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 49699
Packet Type: Accept
 Accepted: Yes
 Payload (32 bytes):
00000   00 20 00 00 02 00 00 00  01 36 0e 41 20 00 7f ff    . .......6.A ...
00016   01 00 00 00 00 20 41 01  00 00 00 00 00 00 00 00    ..... A.........

3. Using an OCI with 10g client

Packet number 4:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 40196
 Dst port: 1521
Packet Type: Connect
 Version: 01 39
 SDU/TDU: 2048 / 32512
SERVICE_NAME: db11200
 SID: <N/A>
 HOST: slavik-laptop
 PROGRAM: ocitest
 USER: slavik
 Payload (216 bytes):
00000   00 d8 00 00 01 00 00 00  01 39 01 2c 0c 01 08 00    .........9.,....
00016   7f ff 7f 08 00 00 01 00  00 9e 00 3a 00 00 02 00    ...........:....
00032   41 41 00 00 00 00 00 00  00 00 00 00 00 00 00 00    AA..............
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 45  52 56 49 43 45 5f 4e 41    DATA=(SERVICE_NA
00096   4d 45 3d 64 62 31 31 32  30 30 29 28 43 49 44 3d    ME=db11200)(CID=
00112   28 50 52 4f 47 52 41 4d  3d 6f 63 69 74 65 73 74    (PROGRAM=ocitest
00128   29 28 48 4f 53 54 3d 73  6c 61 76 69 6b 2d 6c 61    )(HOST=slavik-la
00144   70 74 6f 70 29 28 55 53  45 52 3d 73 6c 61 76 69    ptop)(USER=slavi
00160   6b 29 29 29 28 41 44 44  52 45 53 53 3d 28 50 52    k)))(ADDRESS=(PR
00176   4f 54 4f 43 4f 4c 3d 54  43 50 29 28 48 4f 53 54    OTOCOL=TCP)(HOST
00192   3d 31 32 37 2e 30 2e 30  2e 31 29 28 50 4f 52 54    =127.0.0.1)(PORT
00208   3d 31 35 32 31 29 29 29                             =1521)))

Packet number 6:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 40196
Packet Type: Resend
 Payload (8 bytes):
00000   00 08 00 00 0b 00 00 00                             ........

Packet number 8:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 40196
 Dst port: 1521
Packet Type: Connect
 Version: 01 39
 SDU/TDU: 2048 / 32512
SERVICE_NAME: db11200
 SID: <N/A>
 HOST: slavik-laptop
 PROGRAM: ocitest
 USER: slavik
 Payload (216 bytes):
00000   00 d8 00 00 01 00 00 00  01 39 01 2c 0c 01 08 00    .........9.,....
00016   7f ff 7f 08 00 00 01 00  00 9e 00 3a 00 00 02 00    ...........:....
00032   41 41 00 00 00 00 00 00  00 00 00 00 00 00 00 00    AA..............
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 45  52 56 49 43 45 5f 4e 41    DATA=(SERVICE_NA
00096   4d 45 3d 64 62 31 31 32  30 30 29 28 43 49 44 3d    ME=db11200)(CID=
00112   28 50 52 4f 47 52 41 4d  3d 6f 63 69 74 65 73 74    (PROGRAM=ocitest
00128   29 28 48 4f 53 54 3d 73  6c 61 76 69 6b 2d 6c 61    )(HOST=slavik-la
00144   70 74 6f 70 29 28 55 53  45 52 3d 73 6c 61 76 69    ptop)(USER=slavi
00160   6b 29 29 29 28 41 44 44  52 45 53 53 3d 28 50 52    k)))(ADDRESS=(PR
00176   4f 54 4f 43 4f 4c 3d 54  43 50 29 28 48 4f 53 54    OTOCOL=TCP)(HOST
00192   3d 31 32 37 2e 30 2e 30  2e 31 29 28 50 4f 52 54    =127.0.0.1)(PORT
00208   3d 31 35 32 31 29 29 29                             =1521)))

Packet number 10:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 40196
Packet Type: Accept
 Accepted: Yes
 Payload (32 bytes):
00000   00 20 00 00 02 00 00 00  01 39 0c 01 08 00 7f ff    . .......9......
00016   01 00 00 00 00 20 41 41  00 00 00 00 00 00 00 00    ..... AA........

This is using an Oracle server 11gR2 (11.2.0.1) 64bit.

So, my question is – why? Is this a clumsy attempt to thwart discovery tools? Some sort of a defense mechanism?

I would appreciate any insights here. I’m sure that there are knowledgeable people out there who know the answer.