War story: almost zero is not good enough
Some fifteen years ago we were building a router-based network using primarily baseband modems (that's how the DSL boxes with symmetrical speeds were called back then). Everything worked great, we even had DECnet running between a few sites. However, after a few weeks, a mystery phenomena crept up: when the users were copying files between two VAX computers, the link between the sites went down … always when copying the same file.
To make the long story short: every modem uses a predefined sequence that enables remote loopback. These sequences are standardized and have been chosen so that the chance of hitting them with real traffic is close to zero (but obviously not zero). The file that the users were trying to copy contained just the correct sequence to trigger the remote loopback in one of the modems and the link went down (most probably changed state to looped) as the routers started to receive their own packets. Disabling remote loopback on the modem (a jumper in those days) solved the problem.
The moral of the story: whenever you use pattern matching to identify something (be it a specific application that you're trying to identify or a virus in your workstation), there is a non-zero chance of false positives, usually in the most unusual places.
Let's conclude this post with what seems to me a ludicrous “invention”: someone patented the flashing of LEDs when performing loopback tests on a modem. If anyone can survive reading the whole patent application, understand it and recognize its true added value, please let me know … I got completely lost.
To make the long story short: every modem uses a predefined sequence that enables remote loopback. These sequences are standardized and have been chosen so that the chance of hitting them with real traffic is close to zero (but obviously not zero). The file that the users were trying to copy contained just the correct sequence to trigger the remote loopback in one of the modems and the link went down (most probably changed state to looped) as the routers started to receive their own packets. Disabling remote loopback on the modem (a jumper in those days) solved the problem.
The moral of the story: whenever you use pattern matching to identify something (be it a specific application that you're trying to identify or a virus in your workstation), there is a non-zero chance of false positives, usually in the most unusual places.
Let's conclude this post with what seems to me a ludicrous “invention”: someone patented the flashing of LEDs when performing loopback tests on a modem. If anyone can survive reading the whole patent application, understand it and recognize its true added value, please let me know … I got completely lost.
http://en.wikipedia.org/wiki/
Command_and_Data_modes_%28modem%29
And actually, the moral of the story is: please, no CONTROL over the DATA channel :)
We could argue that modern devices run control and data over the same media (haven't yet seen a router with ethernet interfaces for forwarding packets, and ethernet interfaces for routing protocol ;)), but those are different protocols sharing the same media - routers don't try to find LSA updates in the middle of the DATA stream for an FTP transfer (or not that I know ;))
@Anonymous(2) (gee, it's hard to tell you guys apart, you all look the same :) The IGMP snooping is well-controlled activity. The switch knows what Ethernet frames are, knows which frames are IGMP frames and knows where to look and how to interpret the data ... whereas the stupid modem just latched onto whatever looked like the right bitstream having no clue about frames or anything above them.