RE: ISD171/ping zeros - One legit use

["Ofir Arkin" <ofir () sys-security com>]

Rich,

I can belive this is the case with DNS servers running HPUX 11.x, 10.3 or
AIX 4.3.x.
If so, the admin who set up the DNS server did not fully understand this
issues obviously.

With load balancing I am more skeptic.
They balance the load on the Servers on site not on the coming clients...

If you will download version 2.5 of my paper and go to page 45 you will have
a full explanation.


Cheers

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA




-----Original Message-----
From: Rich Adamson [mailto:radamson () routers com]
Sent: Friday, June 01, 2001 6:03 AM
To: Ofir Arkin; Snort Users Postings
Subject: RE: [Snort-users] ISD171/ping zeros - One legit use


Ofir,
I did search multiple web sites (including yours) and found nothing that
suggests 1500 byte icmp requests have been observed in DNS/Load Balancing
systems. Icmp's have been used for a lot of unusual things, however only
one web site found any reference whatsoever to "IDS171" and that one
did not even provide a hint relative to the response below.
The original posting was intended to "add to" the list of what some might
consider legitimate icmp uses.
Rich
------------------------
> This is an issue dealt in this mailing lists again and again :)
>
> You might wish to search the archives and find out that HPUX 11.x, 10.30,
> AIX 4.3.x has a 'unique' PMTU discovery process using ICMP Echo requests
> that produce the same patterns you described.
>
> You can also read the appropriate section in my paper ICMP Usage in
Scanning
> available from http://www.sys-security.com.
> -----Original Message-----
> FYI...
>
> One of our sites has been observing:
>   09:49:15 snort[2907]: IDS171/ping zeros: x.x.x.x -> y.y.y.y
> from snort. The content of these ping packets is essentially 1500 bytes
> of zeros (0's), and were arriving from five IP addresses assigned around
> the world.
>
> In researching the "source" of these packets, we received the following
> response from this well-known international company:
>
> "What you are seeing is a Wide area load balancing system trying to figure
> out which of our 3 data centers is closest to you.  Someone on your
network
> requested one of our websites, and our DNS/load balancing system tries
> probing your nameserver that the initial dns request came from, and
> instructs the other data centers to do the same to collect path metrics.
> Subsequent requests from your network result in being handed an IP for the
> closest/fastest data center.  http://www.f5.com has the relavent
information
> on how the system works.
>
> If you'd like to be put in an exclude list, we can stop the probes to your
> network.  It tries to be as quiet as possible, but is in no way malicious.
> It does tend to set off some IDS systems though."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users