Hello list, I've just updated the museum of broken packets at http://lcamtuf.coredump.cx/mobp/ (a shameless but on-topic plug), and in the process of doing so, I reviewed some of the recent logs. On one of the boxes, I noticed some quite awkward activity I can't really explain. The traffic in question is a number of strange packets that seem like a (broken?) IP protocol scan, but do not seem to match the characteristics of a known proto scan tool (quite different from nmap -sO, for example). This traffic is then followed by a storm of ip-proto-55 packets with increasing TTLs from a similar source (this is exhibit #12 in the museum, posted with full packet dumps and such). What's going on? I'm truly perplexed as to the nature and purpose of this activity. Have anyone seen something like this, or has some insight as to what could be happening? Any suggestions, log lookups and conspiracy theories truly appreciated. Thanks, -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-07-19 20:43 -- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jul 19 2003 - 16:18:05 PDT