Re: 85.85.85.85 weirdness

[Csiddall () AREAWIDENET COM (Corbin Siddall)]

I have seen the LAND 85.85.85.85 attacks on our network a few months back.  We were having a problem with one of our 
routers at the same time.  When I swapped out the router, NFR no longer picked up those messages.

-------------------------------------------------------------
Corbin B. Siddall, MCSE, CCNA, CCDA, CCA
Senior Network Engineer

Area-Wide Networking Technologies, INC.
"Let the Ring of Excellence keep your 'Net' working!"

Web: http://www.areawidenet.com
Phone: 217.359.8041
FAX: 217.359.8113

> > > Wozz <wozz+incidents () wookie net> 07/18/00 08:37PM >>>
Anyone have any idea what I might be seeing here?  I just turned up an NFR
probe at Exodus in DC, and I'm seeing all sorts of traffic as follows

NFR:                dc-probefe
Source:             85.85.85.85
Destination:        85.85.85.85
Type of attack:     Land
Protocol:           1
Src Port:           0
DST Port:           0
ICMP Type:          85
ICMP Code:          85
Packet:             

E\\x00\\x008\\x80\\x1e\\x00\\x00\\x01\\x01UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count:                   1

I also get occasional variations as follows

NFR:                dc-probefe
Source:             85.85.85.85
Destination:        85.85.85.85
Type of attack:     Land
Protocol:           6
Src Port:           21845
DST Port:           21845
ICMP Type:          0
ICMP Code:          0
Packet:             

E\\x00\\x02`\\xc6\\x01@\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count:                   1

and

NFR:                dc-probefe
Source:             85.85.85.85
Destination:        85.85.85.85
Type of attack:     Land
Protocol:           17
Src Port:           21845
DST Port:           21845
ICMP Type:          0
ICMP Code:          0
Packet:             

E\\x00\\x00""\\xe1\\xd3\\x00\\x00@\\x11\\x12UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count:                   1

My probe is sitting in front of my firewall box, and when I do a tcpdump on
my firewall searching for any of these packets, nothing comes up.  The only
thing I can figure is that this is some sort of weird packet thats being
misinterpreted by NFR.  Perhaps some sort of ethernet broadcast being used
by Exodus's Foundry VLAN's?

Just curious if anyone else has seen anything like this on an NFR system or
otherwise.

****************************************************************
TO POST A MESSAGE on this list, send it to nfr-users () nfr net.
TO UNSUBSCRIBE from this list, send the following text in the
message body (not subject line) to majordomo () nfr net 

unsubscribe nfr-users Your-Email-Address
****************************************************************