Security Incidents mailing list archives
ICMP Strangeness
From: "Portnoy, Gary" <gportnoy () BELENOSINC COM>
Date: Tue, 13 Mar 2001 16:13:26 -0500
This is to all ICMP wizards out there: I am seeing the following ICMP Echo Request coming in approximately every 25.5 seconds. The source is one of our users, the destination is our corporate web server. The firewall keeps dropping them, and the user's laptop keeps retrying. I can't get my hands on the users' laptop since he isn't in this office, and he is saying that nothing out of the ordinary is running on his laptop, however, the pings keep coming, with the payload of 01234567890123456890123456789, and the everincreasing ICMP ID. This isn't a standard Windows ping payload (abcdefg, etc), nor can i find this as a signature in Snort or ArachNIDS. Anybody have any ideas? Snort captures: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/13-15:56:58.013901 8:0:20:B8:F2:36 -> 0:0:C:7:AC:1 type:0x800 len:0x48 laptop -> server ICMP TTL:126 TOS:0x0 ID:64025 IpLen:20 DgmLen:58 Type:8 Code:0 ID:51387 Seq:16132 ECHO 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 0123456789012345 36 37 38 39 30 31 32 33 34 35 36 37 38 39 67890123456789 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/13-15:57:23.521138 8:0:20:B8:F2:36 -> 0:0:C:7:AC:1 type:0x800 len:0x48 laptop -> server ICMP TTL:126 TOS:0x0 ID:64793 IpLen:20 DgmLen:58 Type:8 Code:0 ID:51388 Seq:16388 ECHO 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 0123456789012345 36 37 38 39 30 31 32 33 34 35 36 37 38 39 67890123456789 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I opened up ICMP on the firewall, and the laptop got a standard response, but 25.5 seconds later, it tried again, and again: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/13-15:58:24.099613 8:0:20:B8:F2:36 -> 0:0:C:7:AC:1 type:0x800 len:0x48 laptop -> server ICMP TTL:126 TOS:0x0 ID:2330 IpLen:20 DgmLen:58 Type:8 Code:0 ID:51391 Seq:17156 ECHO 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 0123456789012345 36 37 38 39 30 31 32 33 34 35 36 37 38 39 67890123456789 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/13-15:58:24.235861 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x48 server -> laptop ICMP TTL:121 TOS:0x0 ID:33299 IpLen:20 DgmLen:58 Type:0 Code:0 ID:51391 Seq:17156 ECHO REPLY 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 0123456789012345 36 37 38 39 30 31 32 33 34 35 36 37 38 39 67890123456789 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/13-15:58:44.349146 8:0:20:B8:F2:36 -> 0:0:C:7:AC:1 type:0x800 len:0x48 laptop -> server ICMP TTL:126 TOS:0x0 ID:3098 IpLen:20 DgmLen:58 Type:8 Code:0 ID:51392 Seq:17412 ECHO 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 0123456789012345 36 37 38 39 30 31 32 33 34 35 36 37 38 39 67890123456789 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Any ideas? Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
Current thread:
- ICMP Strangeness Portnoy, Gary (Mar 13)