Firewall Wizards mailing list archives
Re: big ICMP size
From: thornton () cnation com
Date: Wed, 04 Oct 2000 18:25:06 -0700
Ofir Arkin wrote:
Darren, This is the trace of HPUX 11.0x PMTU discovery process kicking my LINUX test box: 00:27:57.435620 ppp0 < x.x.x.x > y.y.y.y : icmp: echo request (DF) (ttl 236, id 41985) 4500 05dc a401 4000 ec01 d909 xxxx xxxx yyyy yyyy 0800 7e52 9abc def0 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ....
I have been seeing lots of these packets originating from Macintoshes within my firewall. They always have an identifier of 0x9abc and a sequence number of 0xdef0 (like the one you have above). They normally have about 1K of data, all zeroes. I'd like to believe that these are legitimate packets, but I have noticed that the pings are originating from machines that are desktops of our least technically inclined employees, and are pinging against the web sites that they are surfing. My first thought (after noticing that the pings were in parallel to their web surfing) was that it was some trojan or something that was tracking their surfing habits, but I don't see any benefit to these pings. The fact that the ICMP packets have rather obviously bogus identifiers and sequence numbers doesn't make me very comfortable either. The fact that they all started a week or two ago is also a little suspicious to me. Are these identifier and sequence number some special codes for some legitimate use? I can't find any documentation on them. thornton _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- big ICMP size bugiu (Oct 03)
- Re: big ICMP size Darren Reed (Oct 04)
- RE: big ICMP size Ofir Arkin (Oct 04)
- Re: big ICMP size thornton (Oct 09)
- RE: big ICMP size Ofir Arkin (Oct 04)
- RE: big ICMP size Ofir Arkin (Oct 04)
- Re: big ICMP size Darren Reed (Oct 04)