Re: MISC Large ICMP Packet

From: Opus (opusat_private)
Date: Thu Jul 26 2001 - 09:43:34 PDT

  • Next message: Jon Zobrist: "Re: code red - c:\notworm"

    This is most likely an AIX box which by default has MTU discovery enabled
    used to discover what size of packets it can send.  This can be sdisabled
    on the AIX box with the following command.  This is not intended to be
    malicious.
    
    no -o tcp_pmtu_discover=0
    
    -Opus
    
    On Thu, 26 Jul 2001, Chris Hobbs wrote:
    
    > Hi All,
    >
    > Installed snort again last night on my inside router (behind a pix) and
    > also installed ACID (http://www.cert.org/kb/acid/) - very slick, if you
    > haven't seen it.
    >
    > Anyway, most of what I saw this morning was pretty run of the mill, but
    > the following seemed kind of odd. Snort trapped it as "MISC Large ICMP
    > Packet", which it was - 1472 bytes of NULL. However, it certainly wasn't
    > a DoS against me, as it only came every several minutes. All the packets
    > were from the same machine (vacuum.cso.uiuc.edu/128.174.5.113), to my
    > mail server.
    >
    > My first assumption was that my IP had been used as one of many in an
    > icmp flood of vacuum.cso.uiuc.edu, but the analysis claims that the
    > packets were actually "Echo Request"s, which I assume means that vacuum
    > was pinging me.
    >
    > Sample packet follows, as well as a summary of all packets. Your advice
    > would be welcome!
    >
    > ------------------------------------------------------------------------------
    > #(1 - 57) [2001-07-25 18:08:13] [arachNIDS/246]  MISC Large ICMP Packet
    > IPv4: 128.174.5.113 -> 163.150.152.247
    >       hlen=5 TOS=0 dlen=1500 ID=12826 flags=0 offset=0 TTL=240
    > chksum=36953
    > ICMP: type=Echo Request code=0
    >       checksum=63487 id=0 seq=0
    > Payload:  length = 1472
    >
    > 000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 020 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 030 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 040 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 050 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 060 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 070 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 080 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 090 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 0a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 0b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 0c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 0d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 0e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 0f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 100 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 110 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 120 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 130 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 140 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 150 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 160 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 180 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 190 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 1a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 1b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 1c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 1d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 1e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 1f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 200 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 210 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 220 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 230 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 240 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 250 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 260 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 270 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 280 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 290 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 2a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 2b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 2c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 2d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 2e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 2f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 300 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 310 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 320 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 340 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 350 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 360 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 370 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 380 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 390 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 3a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 3b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 3d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 3e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 3f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 400 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 420 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 430 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 440 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 450 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 460 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 470 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 480 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 490 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 4a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 4b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 4c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 4d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 4e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 4f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 500 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 510 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 520 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 530 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 540 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 550 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 560 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 570 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 580 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 590 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 5a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > 5b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    > ------------------------------------------------------------------------------
    >
    > Generated by ACID v0.9.6b12 on Thu July 26, 2001 07:06:58
    >
    > #1-57| [2001-07-25 18:08:13] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-72| [2001-07-25 18:10:38] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-82| [2001-07-25 18:14:44] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-97| [2001-07-25 18:18:47] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-100| [2001-07-25 18:21:10] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-101| [2001-07-25 18:21:10] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-119| [2001-07-25 18:39:10] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-133| [2001-07-25 18:45:59] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-150| [2001-07-25 19:11:36] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-151| [2001-07-25 19:14:39] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-165| [2001-07-25 19:24:31] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-166| [2001-07-25 19:24:31] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-225| [2001-07-25 20:42:25] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-235| [2001-07-25 20:48:53] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-244| [2001-07-25 20:56:53] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-253| [2001-07-25 21:06:40] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-256| [2001-07-25 21:12:05] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-264| [2001-07-25 21:19:56] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-277| [2001-07-25 21:32:00] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-309| [2001-07-25 22:00:24] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-313| [2001-07-25 22:05:28] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-314| [2001-07-25 22:05:28] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-333| [2001-07-25 22:29:20] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-342| [2001-07-25 22:32:15] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-350| [2001-07-25 22:40:12] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-834| [2001-07-26 07:02:41] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-458| [2001-07-26 00:46:00] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-789| [2001-07-26 06:58:40] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-784| [2001-07-26 06:47:53] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-778| [2001-07-26 06:42:15] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-775| [2001-07-26 06:40:55] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-565| [2001-07-26 03:04:41] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-762| [2001-07-26 06:27:58] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-753| [2001-07-26 06:23:01] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-585| [2001-07-26 03:26:08] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-751| [2001-07-26 06:20:28] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-738| [2001-07-26 06:12:37] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-727| [2001-07-26 06:00:09] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-639| [2001-07-26 04:34:32] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-657| [2001-07-26 04:51:02] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-660| [2001-07-26 04:58:02] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-667| [2001-07-26 05:00:23] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    > #1-668| [2001-07-26 05:02:05] 128.174.5.113 -> 163.150.152.247
    > [arachNIDS/246]  MISC Large ICMP Packet
    >
    >
    >
    
    -- 
        .~.
        /V\
       /( )\
       ^^-^^
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 12:04:17 PDT