RE: a lot of spoofed traffic for port 8, does anybody recon this?

From: Guy L. Smith (gsmithat_private)
Date: Mon May 14 2001 - 19:36:57 PDT

  • Next message: Jim Starke: "Anyone have any ideas?"

    Here's a copy of the ICMP RFC codes:
    
    The Internet Control Message Protocol (ICMP) has many messages that are
    identified by a "type" field. Here's the numbers from RFC-1700.
    
    Type    Name                                    Reference
    ----    -------------------------               ---------
      0     Echo Reply                               [RFC792]
      1     Unassigned                                  [JBP]
      2     Unassigned                                  [JBP]
      3     Destination Unreachable                  [RFC792]
      4     Source Quench                            [RFC792]
      5     Redirect                                 [RFC792]
      6     Alternate Host Address                      [JBP]
      7     Unassigned                                  [JBP]
      8     Echo                                     [RFC792]
      9     Router Advertisement                    [RFC1256]
     10     Router Selection                        [RFC1256]
     11     Time Exceeded                            [RFC792]
     12     Parameter Problem                        [RFC792]
     13     Timestamp                                [RFC792]
     14     Timestamp Reply                          [RFC792]
     15     Information Request                      [RFC792]
     16     Information Reply                        [RFC792]
     17     Address Mask Request                     [RFC950]
     18     Address Mask Reply                       [RFC950]
     19     Reserved (for Security)                    [Solo]
     20-29  Reserved (for Robustness Experiment)        [ZSu]
     30     Traceroute                              [RFC1393]
     31     Datagram Conversion Error               [RFC1475]
     32     Mobile Host Redirect              [David Johnson]
     33     IPv6 Where-Are-You                 [Bill Simpson]
     34     IPv6 I-Am-Here                     [Bill Simpson]
     35     Mobile Registration Request        [Bill Simpson]
     36     Mobile Registration Reply          [Bill Simpson]
     37-255 Reserved                                    [JBP]
    
    
    
    -----Original Message-----
    From: Kevin Pietersma [mailto:kevat_private]
    Sent: Monday, May 14, 2001 11:54 AM
    To: Bob Johnson; Mikael Fors
    Cc: INCIDENTSat_private
    Subject: Re: a lot of spoofed traffic for port 8, does anybody recon
    this?
    
    
    What you are seeing are ICMP codes (ICMP Echo Request; itype: 8; icode:
    0).  Some one is  PINGing you.
    
    kev
    
    
    At 10:52 AM 5/14/01 -0400, Bob Johnson wrote:
    >Don't know if you ever figured this out.  The only place I've ever seen
    port
    >8 used is a Telocity DSL modem in a friend's office.  The modem queries
    >port 8 on the client system (i.e. the system it is connecting to the
    >Internet) at regular intervals.  It also updates DHCP info at regular
    >intervals.  I don't know what the modem is looking for, but it seems to
    >work fine if doesn't find anything.
    >
    >In his case the modem has a public IP number, so the probe packets come
    >from that address.
    >
    >- Bob
    >
    >Mikael Fors wrote:
    > >
    > > Last 24 hours I've been receiving a lot of strange packets on my public
    > interface. Log has been sanitized.
    > >
    > > May  9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1
    > a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29112 F=0x0000 T=126 (#24)
    > > May  9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1
    > a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29113 F=0x0000 T=127 (#24)
    > > May  9 10:03:39 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1
    > a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29117 F=0x0000 T=127 (#24)
    > > May  9 10:04:06 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1
    > a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29177 F=0x0000 T=126 (#24)
    > > May  9 10:04:06 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1
    > a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29178 F=0x0000 T=127 (#24)
    > > May  9 10:04:09 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1
    > a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29185 F=0x0000 T=127 (#24)
    > > May  9 10:04:33 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1
    > a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29235 F=0x0000 T=126 (#24)
    > > May  9 10:04:33 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1
    > a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29236 F=0x0000 T=127 (#24)
    > > May  9 10:04:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1
    > a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29243 F=0x0000 T=127 (#24)
    > >
    > > These packets started trickling here about 48 hours ago, and I have no
    > clue what it can be. What resides on port 8 and why ICMP??? All of these
    > packets arrive on the public interface, and contains private networks,
    > mostly 192.168.x.x networks, but also 172.x.x.x networks show up.
    > >
    > > Mikael Fors
    > > Mora Datorer AB
    >
    >--
    >
    >*********************************************************
    >   Bob Johnson            Senior Systems Programmer
    >   bobat_private        College of Engineering
    >                          523 Weil Hall
    >   352-392-9217 Office    University of Florida
    >   352-392-7063 Fax       Gainesville, FL  32611
    >*********************************************************
    >   "Security is not a product, it's a mentality."           .         .
    



    This archive was generated by hypermail 2b30 : Mon May 14 2001 - 21:36:26 PDT