ICMP Strangeness

["Portnoy, Gary" <gportnoy () BELENOSINC COM>]

This is to all ICMP wizards out there:

I am seeing the following ICMP Echo Request coming in approximately every
25.5 seconds.  The source is one of our users, the destination is our
corporate web server. The firewall keeps dropping them, and the user's
laptop keeps retrying. I can't get my hands on the users' laptop since he
isn't in this office, and he is saying that nothing out of the ordinary is
running on his laptop, however, the pings keep coming, with the payload of
01234567890123456890123456789, and the everincreasing ICMP ID.  This isn't a
standard Windows ping payload (abcdefg, etc), nor can i find this as a
signature in Snort or ArachNIDS.  Anybody have any ideas?

Snort captures:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/13-15:56:58.013901 8:0:20:B8:F2:36 -> 0:0:C:7:AC:1 type:0x800 len:0x48
laptop -> server ICMP TTL:126 TOS:0x0 ID:64025 IpLen:20 DgmLen:58
Type:8  Code:0  ID:51387   Seq:16132  ECHO
30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35  0123456789012345
36 37 38 39 30 31 32 33 34 35 36 37 38 39        67890123456789

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/13-15:57:23.521138 8:0:20:B8:F2:36 -> 0:0:C:7:AC:1 type:0x800 len:0x48
laptop -> server ICMP TTL:126 TOS:0x0 ID:64793 IpLen:20 DgmLen:58
Type:8  Code:0  ID:51388   Seq:16388  ECHO
30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35  0123456789012345
36 37 38 39 30 31 32 33 34 35 36 37 38 39        67890123456789

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I opened up ICMP on the firewall, and the laptop got a standard response,
but 25.5 seconds later, it tried again, and again:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/13-15:58:24.099613 8:0:20:B8:F2:36 -> 0:0:C:7:AC:1 type:0x800 len:0x48
laptop -> server ICMP TTL:126 TOS:0x0 ID:2330 IpLen:20 DgmLen:58
Type:8  Code:0  ID:51391   Seq:17156  ECHO
30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35  0123456789012345
36 37 38 39 30 31 32 33 34 35 36 37 38 39        67890123456789

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/13-15:58:24.235861 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x48
server -> laptop ICMP TTL:121 TOS:0x0 ID:33299 IpLen:20 DgmLen:58
Type:0  Code:0  ID:51391  Seq:17156  ECHO REPLY
30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35  0123456789012345
36 37 38 39 30 31 32 33 34 35 36 37 38 39        67890123456789

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/13-15:58:44.349146 8:0:20:B8:F2:36 -> 0:0:C:7:AC:1 type:0x800 len:0x48
laptop -> server ICMP TTL:126 TOS:0x0 ID:3098 IpLen:20 DgmLen:58
Type:8  Code:0  ID:51392   Seq:17412  ECHO
30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35  0123456789012345
36 37 38 39 30 31 32 33 34 35 36 37 38 39        67890123456789

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Any ideas?


Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C