Re: Type 8 Overload

[John <johns () TAMPABAY RR COM>]

The same thing has been going on here today, but a little more than you
described.
I am also stumped as to why this is going on. The only thing I can conclude
is that
a Freedom client here is generating the traffic because some of the
destinations belong
to various Freedom blocks. As for the alphabet I think that is the payload
Microsoft
Windows 2000 uses for its ping utility (correct me if I am wrong).

----- Original Message -----
From: Rooster <rooster () MAREX COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, February 19, 2001 1:49 PM
Subject: Type 8 Overload


: List,
:
: This has me concerned:
:
: 540 packets received between 10:55:48 and 11:05:25. Source IP
(64.6.180.88) to a private box ( 10.x.x.x) on our internal subnet. Is it
possible these packets could get by our firewall and deliver an echo-reply
back to the attacker? What do you see happening here? The source IP belongs
to a company called Phoenix Data Systems out of St. Louis.
:
: [**] IDS159 - PING Microsoft Windows [**]
: 02/17-11:32:29.553693 64.6.180.88 -> 192.x.x.x
: ICMP TTL:127 TOS:0x0 ID:4679 IpLen:20 DgmLen:60
: Type:8  Code:0  ID:512   Seq:6400  ECHO
: 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
: 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi
:
: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
:
:
: This first packet is the only one I received from this source on this day.
The payload has me suspicious. Could this have been crafted by the attacker?
The alphabet is what has me leaning in that direction. the Sequence numbers
all 256bytes apart. the ID's are the same and never change. 192.x.x.x is a
box on our dmz. Any ideas?
:
: =+=+=+=+
:
: [**] IDS159 - PING Microsoft Windows [**]
: 02/18-10:55:48.380987 64.6.180.88 -> 10.x.x.x
: ICMP TTL:127 TOS:0x0 ID:13787 IpLen:20 DgmLen:60
: Type:8  Code:0  ID:512   Seq:3840  ECHO
: 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
: 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi
:
: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
:
: [**] IDS159 - PING Microsoft Windows [**]
: 02/18-10:55:49.379163 64.6.180.88 -> 10.x.x.x
: ICMP TTL:127 TOS:0x0 ID:13790 IpLen:20 DgmLen:60
: Type:8  Code:0  ID:512   Seq:4096  ECHO
: 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
: 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi
:
: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
:
: [**] IDS159 - PING Microsoft Windows [**]
: 02/18-10:55:50.380201 64.6.180.88 -> 10.x.x.x
: ICMP TTL:127 TOS:0x0 ID:13791 IpLen:20 DgmLen:60
: Type:8  Code:0  ID:512   Seq:4352  ECHO
: 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
: 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi
:
: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
:
: These three packets keep coming at a constant rate. Although I am only
showing you 3 traces here, I have 540 of them as I mentioned above. This is
from my snort sensor. Anyone else see PING Microsoft Windows before?
:
:
: Thank you,
:
: Rooster.