Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: strange icmp traffic

From: jwl () POBOX COM (Jacob Langseth)
Date: Tue, 11 Jan 2000 17:49:23 -0800

Dariusz Zmokly scribed:

hi !

I have just started IMON V 0.9b and see strange things. My network is
212.160.143.0 - 212.160.143.31. How is it possible to see ICMP packets
having both origin and destination set to addresses out of my network ?
Does it mean that some host here has been owned ?

203.227.180.210 -> 3.150.160.18 (IPv2) was 'echo reply'


Is this verbatim?  IPv2 *can't* be right...

As to how you saw these within your network, there are
two possibilities:  1) the packets were source routed
through your network (have you taken any detailed packet
captures?) or 2) the origin of the packets are w/in your
network, and someone is spoofing the source address.
Incidentally, this is the type of behaviour one might
expect if a tfn2k client was operating on your network.
Please capture one of these packets and examine it;
does it 1) show (loose|strict) source route options
and 2) what does the data payload look like?  If it
appears to be uuencoded, it could very well be tfn2k.

A couple of utilities which might aid you:
    tcpdump -> for raw packet caputure
    ethereal -> gui to examine ip options set (reads tcpdump output)
    pingsting -> utility for identifying most known ping traffic

A note about pingsting:  by default it initializes
libpcap to only catch echo requests, while in your
case you want to ident echo replies.  Change the
line which looks like

    filter = "ip[0:1]=0x45 and ip[2:2] >= 28 and ip[2:2] <= 1500 and icmp[0:1] = 8";
To look like
    filter = "ip[0:1]=0x45 and ip[2:2] >= 28 and ip[2:2] <= 1500 and icmp[0:1] = 0";
(type 0, echo reply) and it *should* accomplish what
you want.  (disclaimer:  I haven't tested this)


203.228.180.210 -> 5.140.128.16 (IPv2) was 'echo reply'
203.228.180.210 -> 5.140.128.24 (IPv2) was 'echo reply'
209.140.180.210 -> 5.140.128.24 (IPv2) was 'echo reply'
214.58.180.210 -> 5.140.128.17 (IPv2) was 'echo reply'
214.59.180.210 -> 5.141.128.16 (IPv2) was 'echo reply'


[...]


And :

badly formed ICMP packet (type=96, code=50)
119.138.218.126 -> 20.173.176.18 (IPv13) was ''
badly formed ICMP packet (type=97, code=27)
119.139.218.126 -> 22.178.128.16 (IPv13) was ''


Potentially the targa3() implemenetation in tfn2k?  It
initializes the packet to various random data, chooses
to make it tcp, udp or icmp, fills in enough protocol
information to transmit and then lets it rip.  The values
shown above look pretty bizarre to me, anyway.

NIPC has released a binary only tfn/trinoo/tfn2k/etc
detection utility, if you trust running arbitrary
code without the ability to inspect the source:
    htpp://www.fbi.gov/nipc/trinoo.htm
If tfn2k is the source, this might aid in its detection.

Hope this helps,
 Jacob Langseth
Previous By Date Next
Previous By Thread Next

Current thread: