Security Incidents mailing list archives
Re: 85.85.85.85 weirdness
From: keith_hess () HP COM (HESS,KEITH (HP-Boise,ex1))
Date: Wed, 19 Jul 2000 13:19:56 -0600
FYI, Looks like a binary 1010.... Perhaps an ethernet preable run away from a defective NIC or hub port some place. -----Original Message----- From: Corbin Siddall [mailto:Csiddall () areawidenet com] Sent: Wednesday, July 19, 2000 8:03 AM To: incidents () securityfocus com; wozz+incidents () wookie net Cc: nfr-users () nfr net Subject: Re: 85.85.85.85 weirdness I have seen the LAND 85.85.85.85 attacks on our network a few months back. We were having a problem with one of our routers at the same time. When I swapped out the router, NFR no longer picked up those messages. ------------------------------------------------------------- Corbin B. Siddall, MCSE, CCNA, CCDA, CCA Senior Network Engineer Area-Wide Networking Technologies, INC. "Let the Ring of Excellence keep your 'Net' working!" Web: http://www.areawidenet.com Phone: 217.359.8041 FAX: 217.359.8113 >>> Wozz <wozz+incidents () wookie net> 07/18/00 08:37PM >>> Anyone have any idea what I might be seeing here? I just turned up an NFR probe at Exodus in DC, and I'm seeing all sorts of traffic as follows NFR: dc-probefe Source: 85.85.85.85 Destination: 85.85.85.85 Type of attack: Land Protocol: 1 Src Port: 0 DST Port: 0 ICMP Type: 85 ICMP Code: 85 Packet: E\\x00\\x008\\x80\\x1e\\x00\\x00\\x01\\x01UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU Count: 1 I also get occasional variations as follows NFR: dc-probefe Source: 85.85.85.85 Destination: 85.85.85.85 Type of attack: Land Protocol: 6 Src Port: 21845 DST Port: 21845 ICMP Type: 0 ICMP Code: 0 Packet: E\\x00\\x02`\\xc6\\x01@\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU Count: 1 and NFR: dc-probefe Source: 85.85.85.85 Destination: 85.85.85.85 Type of attack: Land Protocol: 17 Src Port: 21845 DST Port: 21845 ICMP Type: 0 ICMP Code: 0 Packet: E\\x00\\x00""\\xe1\\xd3\\x00\\x00@\\x11\\x12UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU Count: 1 My probe is sitting in front of my firewall box, and when I do a tcpdump on my firewall searching for any of these packets, nothing comes up. The only thing I can figure is that this is some sort of weird packet thats being misinterpreted by NFR. Perhaps some sort of ethernet broadcast being used by Exodus's Foundry VLAN's? Just curious if anyone else has seen anything like this on an NFR system or otherwise. **************************************************************** TO POST A MESSAGE on this list, send it to nfr-users () nfr net. TO UNSUBSCRIBE from this list, send the following text in the message body (not subject line) to majordomo () nfr net unsubscribe nfr-users Your-Email-Address **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to nfr-users () nfr net. TO UNSUBSCRIBE from this list, send the following text in the message body (not subject line) to majordomo () nfr net unsubscribe nfr-users Your-Email-Address ****************************************************************
Current thread:
- Re: 85.85.85.85 weirdness Corbin Siddall (Jul 19)
- <Possible follow-ups>
- Re: 85.85.85.85 weirdness HESS,KEITH (HP-Boise,ex1) (Jul 19)
- Re: 85.85.85.85 weirdness David Meissner (Jul 22)