Unusual ICMP Traffic

From: jeffat_private
Date: Tue Oct 22 2002 - 00:53:20 PDT

Next message: Brett Glass: "Re: Unusual ICMP Traffic"

Previous message: James Williams: "Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Next in thread: Brett Glass: "Re: Unusual ICMP Traffic"
Reply: Brett Glass: "Re: Unusual ICMP Traffic"
Reply: Gary Flynn: "Re: Unusual ICMP Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) I am looking for help concerning some unusual ICMP traffic I am seeing. Specifically, I am seeing inbound ICMP (type 38 code 37) with some unusual data in the ICMP data field (see below). I am seeing multiple source IP's (outside) to multiple destination IP's (inside). All the source IP's have ttl's of the low 100's or in the 40 range. This could indicate possible spoof source from two different locations. I have been seeing alot of "http" type data and more recently the "reverse connect to me" message within the ICMP data field. Has anyone seen this type of ICMP traffic? 12:35:38.989687 A.B.C.D > W.X.Y.Z: icmp: type-#38 (wrong icmp csum) (ttl 104, id 23538, len 48) 0x0000 4500 0030 5bf2 0000 6801 b8c3 aabb ccdd E..0[...h....+.( 0x0010 wwxx yyzz 2625 4024 2b28 2953 0000 0000 .(..&%@$+()S.... 0x0020 7002 4000 3ca2 0000 0204 0550 0101 0402 p.@.<......P.... 17:52:22.876817 A.B.C.40 > W.X.Y.Z: icmp: type-#38 (wrong icmp csum) (ttl 100, id 12721, len 129) 0x0000 4500 0081 31b1 0000 6401 0c10 aabb ccdd E...1...d....... 0x0010 wwxx yyzz 2625 4024 2b28 2953 14e3 1711 .(..&%@$+()S.... 0x0020 5018 1e54 55c0 0000 2452 6576 436f 6e6e P..TU...$RevConn 0x0030 6563 7454 6f4d 6520 462e 532e 4f2e 7265 ectToMe.F.S.O.re 0x0040 6466 6165 3939 3920 233d 4f72 6163 6c65 dfae999.#=Oracle 0x0050 3d23 7c24 5265 7643 6f6e 6e65 6374 546f =#|$RevConnectTo 0x0060 4d65 2046 2e53 2e4f 2e72 6564 6661 6539 Me.F.S.O.redfae9 0x0070 3939 205b 4264 5d2e 5a6f 6279 5761 6e65 99.[Bd].ZobyWane 0x0080 7c | 16:19:26.878146 A.B.C.40 > W.X.Y.Z: icmp: type-#38 (wrong icmp csum) (ttl 40, id 33354, len 64) 0x0000 4500 0040 824a 0000 2801 672b aabb ccdd E..@.J..(.g+..5w 0x0010 wwxx yyzz 2625 4024 2b28 2953 0000 0000 .(..&%@$+()S.... 0x0020 7002 4000 8673 0000 0204 0550 0101 0402 p.@..s.....P.... 0x0030 4854 5450 2f31 2e31 2032 3030 204f 4b0d HTTP/1.1.200.OK. Thanks Jeff ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Brett Glass: "Re: Unusual ICMP Traffic"
Previous message: James Williams: "Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Next in thread: Brett Glass: "Re: Unusual ICMP Traffic"
Reply: Brett Glass: "Re: Unusual ICMP Traffic"
Reply: Gary Flynn: "Re: Unusual ICMP Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 16:32:15 PDT