Security Incidents mailing list archives

Re: 85.85.85.85 weirdness

From: wozz+nfr () WOOKIE NET (Wozz)
Date: Wed, 19 Jul 2000 10:36:02 -0600


On Wed, Jul 19, 2000 at 04:23:00PM +0200, Pascal Bouchareine wrote:

just my $0.01 but :

On Tue, Jul 18, 2000 at 07:37:49PM -0600, Wozz wrote:

Anyone have any idea what I might be seeing here?  I just turned up an NFR
probe at Exodus in DC, and I'm seeing all sorts of traffic as follows

NFR:                dc-probefe
Source:             85.85.85.85
Destination:        85.85.85.85


0x55555555 as a source ip.

Type of attack:     Land


triggered because of the short size/buggy pointers, i guess.

Protocol:           6
Src Port:           21845
DST Port:           21845


21845, which is 0x5555. fun. this information is not interesting to you,
as i bet this is a (buggy) "0x55 frame" and doesn't have anything to do with
85.85.85.85 or a land attack. anyway, the bug's still there.


Thats what I suspected, that it was some sort of bug.

ICMP Type:          0
ICMP Code:          0
Packet:

E\\x00\\x02`\\xc6\\x01@\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU


U is 0x55, confirmed. you have a memset'ed area of 0x55. is it at the
network level, or at the "bpf" level ?


I'm not sure, as I said, I don't see it on the network when I do a tcpdump on my
firewall

My probe is sitting in front of my firewall box, and when I do a tcpdump on
my firewall searching for any of these packets, nothing comes up.  The only
thing I can figure is that this is some sort of weird packet thats being
misinterpreted by NFR.  Perhaps some sort of ethernet broadcast being used
by Exodus's Foundry VLAN's?


are you sure your firewall doesn't filter these packets before passing
them to the packet capture interface ?


The probe is outside the firewall (between our external router and the firewall)


this sounds like a strange memory corruption, at the ethernet level
or at the NFR level.. very interesting :)


No kidding ;)

Wish I could figure it out though, as its filling up the alerts window ;)

Any NFR people have any ideas?

Current thread:

Re: tin.it and others non collaborative isps., (continued)
- - - Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
    - Some stats of events Henri J. Schlereth (Jul 10)
    - Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
    - Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
    - Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
    - Hostile email mmurray () TAOS COM (Jul 12)
    - I Was rooted Andrew Heath (Jul 17)
    - Obfuscated URL's in spam Kee Hinckley (Jul 18)
    - 85.85.85.85 weirdness Wozz (Jul 18)
    - Re: 85.85.85.85 weirdness Pascal Bouchareine (Jul 19)
    - Re: 85.85.85.85 weirdness Wozz (Jul 19)
    - Re: 85.85.85.85 weirdness Jud (Jul 19)
    - msnhome.talkcity.com Dirk Koopman (Jul 21)
    - Re: msnhome.talkcity.com Ryan Yagatich (Jul 24)
    - Anyone ever heard of "rlumkaus" virus/bug/trojan/backdoor? Litscher, Steven (Jul 21)
    - Sudden increase in scans. Rune Kristian Viken (Jul 20)
    - Re: Sudden increase in scans. Aaron Kelley (Jul 24)
    - Wierd Windows 98 bug? Mark Collins (Jul 20)
    - Port 38293 Tim H (Jul 21)
    - Re: Port 38293 Talisker (Jul 22)
  - Re: scan log and subsequent response from the host's ISP StrmShdw (Jul 08)

(Thread continues...)