Security Incidents mailing list archives
Re: Type 8 Overload
From: John <johns () TAMPABAY RR COM>
Date: Tue, 20 Feb 2001 00:12:37 -0500
The same thing has been going on here today, but a little more than you described. I am also stumped as to why this is going on. The only thing I can conclude is that a Freedom client here is generating the traffic because some of the destinations belong to various Freedom blocks. As for the alphabet I think that is the payload Microsoft Windows 2000 uses for its ping utility (correct me if I am wrong). ----- Original Message ----- From: Rooster <rooster () MAREX COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, February 19, 2001 1:49 PM Subject: Type 8 Overload : List, : : This has me concerned: : : 540 packets received between 10:55:48 and 11:05:25. Source IP (64.6.180.88) to a private box ( 10.x.x.x) on our internal subnet. Is it possible these packets could get by our firewall and deliver an echo-reply back to the attacker? What do you see happening here? The source IP belongs to a company called Phoenix Data Systems out of St. Louis. : : [**] IDS159 - PING Microsoft Windows [**] : 02/17-11:32:29.553693 64.6.180.88 -> 192.x.x.x : ICMP TTL:127 TOS:0x0 ID:4679 IpLen:20 DgmLen:60 : Type:8 Code:0 ID:512 Seq:6400 ECHO : 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop : 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi : : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : : : This first packet is the only one I received from this source on this day. The payload has me suspicious. Could this have been crafted by the attacker? The alphabet is what has me leaning in that direction. the Sequence numbers all 256bytes apart. the ID's are the same and never change. 192.x.x.x is a box on our dmz. Any ideas? : : =+=+=+=+ : : [**] IDS159 - PING Microsoft Windows [**] : 02/18-10:55:48.380987 64.6.180.88 -> 10.x.x.x : ICMP TTL:127 TOS:0x0 ID:13787 IpLen:20 DgmLen:60 : Type:8 Code:0 ID:512 Seq:3840 ECHO : 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop : 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi : : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : : [**] IDS159 - PING Microsoft Windows [**] : 02/18-10:55:49.379163 64.6.180.88 -> 10.x.x.x : ICMP TTL:127 TOS:0x0 ID:13790 IpLen:20 DgmLen:60 : Type:8 Code:0 ID:512 Seq:4096 ECHO : 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop : 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi : : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : : [**] IDS159 - PING Microsoft Windows [**] : 02/18-10:55:50.380201 64.6.180.88 -> 10.x.x.x : ICMP TTL:127 TOS:0x0 ID:13791 IpLen:20 DgmLen:60 : Type:8 Code:0 ID:512 Seq:4352 ECHO : 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop : 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi : : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : : These three packets keep coming at a constant rate. Although I am only showing you 3 traces here, I have 540 of them as I mentioned above. This is from my snort sensor. Anyone else see PING Microsoft Windows before? : : : Thank you, : : Rooster.
Current thread:
- Type 8 Overload Rooster (Feb 19)
- Re: Type 8 Overload John (Feb 19)