Security Incidents mailing list archives
Strange ICMP packets
From: "Portnoy, Gary" <gportnoy () BELENOSINC COM>
Date: Fri, 16 Feb 2001 17:15:06 -0500
Hi there, For the past few days, i've been seeing a lot of strange ICMP packets blocked by my firewall. The strangeness is in the fact that they appear to be ICMP packets (IP protocol=1), but there is no ICMP payload... They come at the rate of about 2-3 per second, the source IP always different, never repeating... For some reason Checkpoint reports it as icmp-type 8 code 0 (Echo Request), but there is nothing in the packet that can confirm that. I am guessing it's a checkpoint bug... I got the following two packet captures using snoop, one is of the strange packet that I am talking about, and the other is of me generating an echo request (notice the ICMP section in the second, but not the first).... Suspect packet: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 1 arrived at 17:05:16.57 ETHER: Packet size = 60 bytes ETHER: Destination = 8:0:20:d9:22:e8, Sun ETHER: Source = 0:2:4b:d2:cf:c0, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 28 bytes IP: Identification = 62524 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 117 seconds/hops IP: Protocol = 1 (ICMP) IP: Header checksum = f4db IP: Source address = 216.45.66.230, 216.45.66.230 IP: Destination address = x.y.z.196, x.y.z.196 IP: No options IP: Normal echo request: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 5 arrived at 17:05:46.57 ETHER: Packet size = 74 bytes ETHER: Destination = 8:0:20:d9:22:e8, Sun ETHER: Source = 0:2:4b:d2:cf:c0, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 60 bytes IP: Identification = 14412 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 19 seconds/hops IP: Protocol = 1 (ICMP) IP: Header checksum = 7c67 IP: Source address = a.b.c.62, a.b.c.62 IP: Destination address = x.y.z.196, x.y.z.196 IP: No options IP: ICMP: ----- ICMP Header ----- ICMP: ICMP: Type = 8 (Echo request) ICMP: Code = 0 ICMP: Checksum = c856 ICMP: Any ideas? Gary Portnoy Network Administrator 617-345-6252 gportnoy () belenosinc com www.belenosinc.com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
Attachment:
smime.p7s
Description:
Current thread:
- Strange ICMP packets Portnoy, Gary (Feb 16)