ICMP Help

From: Portnoy, Gary (gportnoyat_private)
Date: Thu Jun 28 2001 - 12:42:33 PDT

  • Next message: W Shawn Falconbury: "RE: ICMP Help" 

    Greetings,

Starting a few days ago, I noticed some wierd ICMP traffic to/from one of my
webservers.  Every few hours (2-4 hours) there is a sudden burst of ICMP 8/0
requests to my server.  The source IP's are always the same 10:
206.229.153.105 
216.52.169.65
4.20.90.105
206.64.105.105 
207.86.73.105
208.47.242.105 
198.107.213.105
206.98.113.105 
208.51.235.105 
12.27.166.105

Notice how all but one end in .105.  Strange?  I thought so too..  So, below
is the tcpdump capture of the payload.  The ICMP ID is 1407 in every case.
I don't know what that means.  Haven't been able to find anything on it.
Also, look by the XX XX in the capture. That's the destination IP address,
also kind of strange.  Another thing, the TTL:  Assuming starting value of
64, it makes sense.  I pinged the hosts back.  They are all alive, only
their starting TTL is 256, but the number of hops matches...  Anyways,
that's a lot of strange stuff going on in one small ICMP packet, so without
further due:

06/28-14:47:17.335080 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x62
206.229.153.105 -> MY.NET.165.17 ICMP TTL:54 TOS:0x0 ID:45337 IpLen:20
DgmLen:84
Type:8  Code:0  ID:1407   Seq:23209  ECHO
B6 7B 3B 3B F0 62 01 00 00 00 00 00 00 00 00 00  .{;;.b..........
00 00 00 00 02 00 00 00 XX XX A5 11 00 00 00 00  ................
00 00 00 00 B0 D3 FF BF 6B B0 9F 4C 17 00 00 00  ........k..L....
E8 D3 FF BF 10 D4 FF BF                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/28-14:47:29.525126 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x62
216.52.169.65 -> MY.NET.165.17 ICMP TTL:52 TOS:0x0 ID:1732 IpLen:20
DgmLen:84
Type:8  Code:0  ID:1407   Seq:42902  ECHO
C2 7B 3B 3B B8 15 04 00 00 00 00 00 00 00 00 00  .{;;............
00 00 00 00 02 00 00 00 XX XX A5 11 00 00 00 00  ................
00 00 00 00 B0 D3 FF BF 6B B0 9F 4C 17 00 00 00  ........k..L....
E8 D3 FF BF 10 D4 FF BF                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/28-14:47:43.089554 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x62
4.20.90.105 -> MY.NET.165.17 ICMP TTL:52 TOS:0x0 ID:25480 IpLen:20 DgmLen:84
Type:8  Code:0  ID:1407   Seq:8666  ECHO
CF 7B 3B 3B CB E2 0C 00 00 00 00 00 00 00 00 00  .{;;............
00 00 00 00 02 00 00 00 XX XX A5 11 00 00 00 00  ................
00 00 00 00 B0 D3 FF BF 6B B0 9F 4C 17 00 00 00  ........k..L....
E8 D3 FF BF 10 D4 FF BF                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Does anyone want to venture a guess?  I am stumped...

-Gary-






Gary Portnoy
Network Administrator
gportnoyat_private

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 08:19:33 PDT