Re: big ICMP size

[thornton () cnation com]

Ofir Arkin wrote:
> Darren,
>
> This is the trace of HPUX 11.0x PMTU discovery process kicking my LINUX test
> box:
>
> 00:27:57.435620 ppp0 < x.x.x.x > y.y.y.y : icmp: echo request (DF) (ttl 236,
> id 41985)
>                          4500 05dc a401 4000 ec01 d909 xxxx xxxx
>                          yyyy yyyy 0800 7e52 9abc def0 0000 0000
>                          0000 0000 0000 0000 0000 0000 0000 0000
>                          0000 0000 0000 0000 0000 0000 0000 0000
>                          0000 0000 0000 0000 0000 0000 0000 0000
>                          ....

I have been seeing lots of these packets originating from Macintoshes
within my firewall. They  always have an identifier of 0x9abc and a
sequence number of 0xdef0 (like the one you have above). They normally
have about 1K of data, all zeroes.

I'd like to believe that these are legitimate packets, but I have
noticed that the pings are originating from machines that are desktops
of our least technically inclined employees, and are pinging against the
web sites that they are surfing. My first thought (after noticing that
the pings were in parallel to their web surfing) was that it was some
trojan or something that was tracking their surfing habits, but I don't
see any benefit to these pings. The fact that the ICMP packets have
rather obviously bogus identifiers and sequence numbers doesn't make me
very comfortable either. The fact that they all started a week or two
ago is also a little suspicious to me.

Are these identifier and sequence number some special codes for some
legitimate use? I can't find any documentation on them.

thornton

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards