I think what you are seeing is load balancer type traffic from internap. see: www.pnap.net These are 'crafted' packets build by their proprietary application. --- Johannes Ullrich Join http://www.dshield.org jullrichat_private --- On Thu, 28 Jun 2001, Portnoy, Gary wrote: > Greetings, > > Starting a few days ago, I noticed some wierd ICMP traffic to/from one of my > webservers. Every few hours (2-4 hours) there is a sudden burst of ICMP 8/0 > requests to my server. The source IP's are always the same 10: > 206.229.153.105 > 216.52.169.65 > 4.20.90.105 > 206.64.105.105 > 207.86.73.105 > 208.47.242.105 > 198.107.213.105 > 206.98.113.105 > 208.51.235.105 > 12.27.166.105 > > Notice how all but one end in .105. Strange? I thought so too.. So, below > is the tcpdump capture of the payload. The ICMP ID is 1407 in every case. > I don't know what that means. Haven't been able to find anything on it. > Also, look by the XX XX in the capture. That's the destination IP address, > also kind of strange. Another thing, the TTL: Assuming starting value of > 64, it makes sense. I pinged the hosts back. They are all alive, only > their starting TTL is 256, but the number of hops matches... Anyways, > that's a lot of strange stuff going on in one small ICMP packet, so without > further due: > > 06/28-14:47:17.335080 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x62 > 206.229.153.105 -> MY.NET.165.17 ICMP TTL:54 TOS:0x0 ID:45337 IpLen:20 > DgmLen:84 > Type:8 Code:0 ID:1407 Seq:23209 ECHO > B6 7B 3B 3B F0 62 01 00 00 00 00 00 00 00 00 00 .{;;.b.......... > 00 00 00 00 02 00 00 00 XX XX A5 11 00 00 00 00 ................ > 00 00 00 00 B0 D3 FF BF 6B B0 9F 4C 17 00 00 00 ........k..L.... > E8 D3 FF BF 10 D4 FF BF ........ > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 06/28-14:47:29.525126 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x62 > 216.52.169.65 -> MY.NET.165.17 ICMP TTL:52 TOS:0x0 ID:1732 IpLen:20 > DgmLen:84 > Type:8 Code:0 ID:1407 Seq:42902 ECHO > C2 7B 3B 3B B8 15 04 00 00 00 00 00 00 00 00 00 .{;;............ > 00 00 00 00 02 00 00 00 XX XX A5 11 00 00 00 00 ................ > 00 00 00 00 B0 D3 FF BF 6B B0 9F 4C 17 00 00 00 ........k..L.... > E8 D3 FF BF 10 D4 FF BF ........ > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 06/28-14:47:43.089554 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x62 > 4.20.90.105 -> MY.NET.165.17 ICMP TTL:52 TOS:0x0 ID:25480 IpLen:20 DgmLen:84 > Type:8 Code:0 ID:1407 Seq:8666 ECHO > CF 7B 3B 3B CB E2 0C 00 00 00 00 00 00 00 00 00 .{;;............ > 00 00 00 00 02 00 00 00 XX XX A5 11 00 00 00 00 ................ > 00 00 00 00 B0 D3 FF BF 6B B0 9F 4C 17 00 00 00 ........k..L.... > E8 D3 FF BF 10 D4 FF BF ........ > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > Does anyone want to venture a guess? I am stumped... > > -Gary- > > > > > > > Gary Portnoy > Network Administrator > gportnoyat_private > > PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C > > > > ---------------------------------------------------------------------------- > > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 11:23:14 PDT