('binary' encoding is not supported, stored as-is) This is an IMCP “Fragmentation Needed/DF set” message, but the source and destination IP addresses are the same. This is not a land attack, as it is ICMP. This is the external IP of an Arrowpoint (Cisco CSS) load balancer. The TTL of 53 doesn’t look like an initial TTL, which leads me to believe that it was not generated by the load balancer itself, or even the clients directly behind it. There are two different IP ID numbers for the six alerts (46555 and 46636). There are also two different data payloads, but notice that the payloads and IP ID number do not match for all of the alerts (i.e. the first and last alert have the same IP ID, but a different payload). This was detected with Snort, and the output is from the ACID ‘email full alert’ option. Any ideas? Thanks! Monte Toren mtorenat_private ------------------------------------------------------------------ ------------ #(2 - 30338) [2002-02-20 14:59:28] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46555 flags=0 offset=0 TTL=53 chksum=6190 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=59284 id= seq= Payload: length = 4 000 : 59 60 BC 06 Y`.. ------------------------------------------------------------------ ------------ #(2 - 30339) [2002-02-20 14:59:28] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46555 flags=0 offset=0 TTL=53 chksum=6190 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=59284 id= seq= Payload: length = 4 000 : 59 60 BC 06 Y`.. ------------------------------------------------------------------ ------------ #(2 - 30340) [2002-02-20 14:59:29] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46636 flags=0 offset=0 TTL=53 chksum=6109 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=11154 id= seq= Payload: length = 4 000 : 59 8A 77 DF ------------------------------------------------------------------ ------------ #(2 - 30341) [2002-02-20 14:59:29] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46636 flags=0 offset=0 TTL=53 chksum=6109 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=11154 id= seq= Payload: length = 4 000 : 59 8A 77 DF Y.w. ------------------------------------------------------------------ ------------ #(2 - 30342) [2002-02-20 14:59:30] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46655 flags=0 offset=0 TTL=53 chksum=6090 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=9693 id= seq= Payload: length = 4 000 : 59 8A 7D 94 Y.}. ------------------------------------------------------------------ ------------ #(2 - 30343) [2002-02-20 14:59:30] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46655 flags=0 offset=0 TTL=53 chksum=6090 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=9693 id= seq= Payload: length = 4 000 : 59 8A 7D 94 Y.}. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 13:37:47 PST