Security Incidents mailing list archives
Re: 85.85.85.85 weirdness
From: keith_hess () HP COM (HESS,KEITH (HP-Boise,ex1))
Date: Wed, 19 Jul 2000 13:19:56 -0600
FYI,
Looks like a binary 1010.... Perhaps an ethernet preable run away from a
defective NIC or hub port some place.
-----Original Message-----
From: Corbin Siddall [mailto:Csiddall () areawidenet com]
Sent: Wednesday, July 19, 2000 8:03 AM
To: incidents () securityfocus com;
wozz+incidents () wookie net
Cc: nfr-users () nfr net
Subject: Re: 85.85.85.85 weirdness
I have seen the LAND 85.85.85.85 attacks on our network a
few months back. We were having a problem with one of our routers at the
same time. When I swapped out the router, NFR no longer picked up those
messages.
-------------------------------------------------------------
Corbin B. Siddall, MCSE, CCNA, CCDA, CCA
Senior Network Engineer
Area-Wide Networking Technologies, INC.
"Let the Ring of Excellence keep your 'Net' working!"
Web: http://www.areawidenet.com
Phone: 217.359.8041
FAX: 217.359.8113
>>> Wozz <wozz+incidents () wookie net> 07/18/00 08:37PM >>>
Anyone have any idea what I might be seeing here? I just
turned up an NFR
probe at Exodus in DC, and I'm seeing all sorts of traffic
as follows
NFR: dc-probefe
Source: 85.85.85.85
Destination: 85.85.85.85
Type of attack: Land
Protocol: 1
Src Port: 0
DST Port: 0
ICMP Type: 85
ICMP Code: 85
Packet:
E\\x00\\x008\\x80\\x1e\\x00\\x00\\x01\\x01UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count: 1
I also get occasional variations as follows
NFR: dc-probefe
Source: 85.85.85.85
Destination: 85.85.85.85
Type of attack: Land
Protocol: 6
Src Port: 21845
DST Port: 21845
ICMP Type: 0
ICMP Code: 0
Packet:
E\\x00\\x02`\\xc6\\x01@\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count: 1
and
NFR: dc-probefe
Source: 85.85.85.85
Destination: 85.85.85.85
Type of attack: Land
Protocol: 17
Src Port: 21845
DST Port: 21845
ICMP Type: 0
ICMP Code: 0
Packet:
E\\x00\\x00""\\xe1\\xd3\\x00\\x00@\\x11\\x12UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count: 1
My probe is sitting in front of my firewall box, and when I
do a tcpdump on
my firewall searching for any of these packets, nothing
comes up. The only
thing I can figure is that this is some sort of weird packet
thats being
misinterpreted by NFR. Perhaps some sort of ethernet
broadcast being used
by Exodus's Foundry VLAN's?
Just curious if anyone else has seen anything like this on
an NFR system or
otherwise.
****************************************************************
TO POST A MESSAGE on this list, send it to
nfr-users () nfr net.
TO UNSUBSCRIBE from this list, send the following text in
the
message body (not subject line) to majordomo () nfr net
unsubscribe nfr-users Your-Email-Address
****************************************************************
****************************************************************
TO POST A MESSAGE on this list, send it to
nfr-users () nfr net.
TO UNSUBSCRIBE from this list, send the following text in
the
message body (not subject line) to majordomo () nfr net
unsubscribe nfr-users Your-Email-Address
****************************************************************
Current thread:
- Re: 85.85.85.85 weirdness Corbin Siddall (Jul 19)
- <Possible follow-ups>
- Re: 85.85.85.85 weirdness HESS,KEITH (HP-Boise,ex1) (Jul 19)
- Re: 85.85.85.85 weirdness David Meissner (Jul 22)