Protocol 255

From: Crist J. Clark (crist.clarkat_private)
Date: Thu Jul 11 2002 - 14:48:00 PDT

  • Next message: Michael Fredericks: "RE: Code Red and other anomalous activity from 1433"

    I was looking through my SHADOW logs when I came across what I can
    only call some seriously weird shit.
    
    07f:26:40.078077 151.1.141.11 > AAA.BBB.152.0:  ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
    0x0000   4500 0030 0000 4000 2eff c069 9701 8d0b        E..0..@....i....
    0x0010   AABB 9800 4500 001c 787e 0000 ff01 4363        .X..E...x~....Cc
    0x0020   0000 0000 AABB 9800 0800 817f 7180 0500        .....X......q...
    07:26:40.081648 151.1.141.11 > AAA.BBB.152.255:  ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
    0x0000   4500 0030 0000 4000 2eff bf6a 9701 8d0b        E..0..@....j....
    0x0010   AABB 98ff 4500 001c 787e 0000 ff01 4363        .X..E...x~....Cc
    0x0020   0000 0000 AABB 98ff 0800 7f7f 7280 0600        .....X......r...
    07:26:40.085936 151.1.141.11 > AAA.BBB.153.0:  ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
    0x0000   4500 0030 0000 4000 2eff bf69 9701 8d0b        E..0..@....i....
    0x0010   AABB 9900 4500 001c 787e 0000 ff01 4363        .X..E...x~....Cc
    0x0020   0000 0000 AABB 9900 0800 7d7f 7380 0700        .....X....}.s...
    07:26:40.090049 151.1.141.11 > AAA.BBB.153.255:  ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
    0x0000   4500 0030 0000 4000 2eff be6a 9701 8d0b        E..0..@....j....
    0x0010   AABB 99ff 4500 001c 787e 0000 ff01 4363        .X..E...x~....Cc
    0x0020   0000 0000 AABB 99ff 0800 7b7f 7480 0800        .....X....{.t...
    07:26:40.096690 151.1.141.11 > AAA.BBB.154.0:  ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
    0x0000   4500 0030 0000 4000 2eff be69 9701 8d0b        E..0..@....i....
    0x0010   AABB 9a00 4500 001c 787e 0000 ff01 4363        .X..E...x~....Cc
    0x0020   0000 0000 AABB 9a00 0800 797f 7580 0900        .....X....y.u...
    07:26:40.097397 151.1.141.11 > AAA.BBB.154.255:  ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
    0x0000   4500 0030 0000 4000 2eff bd6a 9701 8d0b        E..0..@....j....
    0x0010   AABB 9aff 4500 001c 787e 0000 ff01 4363        .X..E...x~....Cc
    0x0020   0000 0000 AABB 9aff 0800 777f 7680 0a00        .....X....w.v...
    07:26:40.107612 151.1.141.11 > AAA.BBB.155.0:  ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
    0x0000   4500 0030 0000 4000 2eff bd69 9701 8d0b        E..0..@....i....
    0x0010   AABB 9b00 4500 001c 787e 0000 ff01 4363        .X..E...x~....Cc
    0x0020   0000 0000 AABB 9b00 0800 757f 7780 0b00        .....X....u.w...
    07:26:40.117045 151.1.141.11 > AAA.BBB.155.255:  ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
    0x0000   4500 0030 0000 4000 2eff bc6a 9701 8d0b        E..0..@....j....
    0x0010   AABB 9bff 4500 001c 787e 0000 ff01 4363        .X..E...x~....Cc
    0x0020   0000 0000 AABB 9bff 0800 737f 7880 0c00        .....X....s.x...
    
    First off, we have protocol 255 which I believed is a IANA reserved
    value. The packets are aimed at the network and broadcast addresses of
    consecutive C Class address blocks. OK, that's weird...
    
    Now look at the payload. Let me zero the index on payload of that last
    packet,
    
    0x0000   4500 001c 787e 0000 ff01 4363 0000 0000
    0x0010   AABB 9bff 0800 737f 7880 0c00
    
    Look familiar? That's another IP packet in there. To be exact, that's
    an ICMP echo request in there with the same destination IP as the
    outer datagram, AAA.BBB.155.255, and a source of 0.0.0.0. Also note
    that the echo-request identifier and sequence number fields are each
    incrementing by 0x100 for each packet. That's probably evidence that
    someone didn't do their host order to network order byte switching
    properly.
    
    So... What the heck _is_ that? Anyone seen anything like that before?
    I've seen weird looking stuff Out There before, but this ranks up
    pretty high on the weirdness scale. Oh, the IP address seems to be
    from an ISP in Italy. nmap didn't identify the OS, but it looks like
    it may be a Linux box from the ports and services offered?
    -- 
    Crist J. Clark                     |     cjclarkat_private
                                       |     cjclarkat_private
    http://people.freebsd.org/~cjc/    |     cjcat_private
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 18:16:27 PDT