Strings of 'EEEE' in pings...

From: Peter Bates (Peter.Batesat_private)
Date: Fri Jan 25 2002 - 11:05:58 PST

  • Next message: Glenn Forbes Fleming Larratt: "Re: DDoS attack."

    Hello all...
    
    I've searched on Google, and other than some short discussion
    in the past, I've nothing to answer my question...
    
    I saw some of this traffic today, watching a machine which had
    made several failed attempts to connect to servers they shouldn't
    (both machines are internal), and then seeing some SNMP traffic
    to external hosts which I failed to capture...
    
    What I saw was this: (snort -vde capture)
    
    01/25-18:05:09.399334 8:0:20:9E:ED:B3 -> 0:10:F6:8E:A0:0 type:0x800
    len:0x4A
    (INTERNAL) -> (EXTERNAL) ICMP TTL:62 TOS:0x0 ID:43296 IpLen:20
    DgmLen:60
    Type:8  Code:0  ID:1   Seq:9  ECHO
    45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
    45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
    
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    01/25-18:05:09.419335 0:10:F6:8E:A0:0 -> 8:0:20:9E:ED:B3 type:0x800
    len:0x4A
    (EXTERNAL) -> (INTERNAL) ICMP TTL:113 TOS:0x0 ID:44568 IpLen:20
    DgmLen:60
    Type:0  Code:0  ID:1  Seq:9  ECHO REPLY
    45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
    45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
    
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    Yes it's a ping echo/reply pair, but why the string of EE's?
    
    I could recreate this slightly using 'ping -p 45 host' from another
    system,
    but it was still slightly different at the front...
    
    Can anyone explain this, or what might be generating this traffic?
    
    The internal host in question appears to be a Windows machine, but
    we'll only be able to investigate properly after the weekend.
    
    
    
    -------------------------------------------------------------------------------------------------------------------->
    Peter Bates, Systems Support Officer, Network Support Team.
    London School of Hygiene & Tropical Medicine.
    Telephone:0207-927 2124 / Fax: 0207- 636 9838 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 11:16:37 PST