Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: echo requests, 1480 bytes

From: oogali () INTRANOVA NET (Omachonu Ogali)
Date: Tue, 15 Feb 2000 06:40:35 -0500

On Fri, 11 Feb 2000, Ron Gula wrote:


Thomas,

What catches my eye in your message is:


Feb  3 06:24:30 oi iplog[20316]: ICMP: echo from ns-norva.navy.mil (1480

bytes)



Does anyone know what these folks are up to?  I usually see an echo
request from them, followed by an ICMP source quench.  Very odd.

Don


We have seen several sites monitored by the Dragon IDS pick up this
packet. It is spooed as certain fields in the ICMP and IP headers
never change. Someone probably compiled an ICMP spoofer and used a
the length of their buffer as the length of their packet.

I'd post a copy of the packet, but I don't have permission from the
customer at the moment. It's a payload of all zeros after the ICMP
header.

Ron Gula, CTO.
Network Security Wizards, Inc.
http://www.securitywizards.com



Is it actually spoofed? Ping that address and you'll receive high latency
and source quenches, then ping the broadcast address and you'll receive
replies. I've contacted Sprint, but I haven't seen anything done nor been
replied to.

 --
+-------------------------------------------------------------------------+
| Omachonu Ogali                                     oogali () intranova net |
| Intranova Networking Group                 http://tribune.intranova.net |
| PGP Key ID:                                                  0xBFE60839 |
| PGP Fingerprint:       C8 51 14 FD 2A 87 53 D1  E3 AA 12 12 01 93 BD 34 |
+-------------------------------------------------------------------------+
Previous By Date Next
Previous By Thread Next

Current thread: