Security Incidents mailing list archives

Re: ICMP Echo Reply to 0.0.0.0

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Mon, 20 Mar 2000 11:14:49 -0800


Note:

BlackICE Defender (personal firewall and IDS) detects unsolicited replies.
The default behavior is to log these packets in a sniffer tracefile.
Therefore, if you get this alert:
http://www.networkice.com/advice/intrusions/2000109/
then you may have the event Dave is looking for.

Here are some steps to take:
1. first, open the file "attack-list.csv" and verify that the destination is
indeed 0.0.0.0 (unfortunately, the current GUI doesn't show the destination
field, only the source of the intrusions, but the full info is logged).

2. Look for the file "evdXXXXX.enc", where XXXX is the date when intrusion
event was detected. This file should contain some sample packets for this
intrusion.

3. E-mail that file to Dave. Note that the file may contain private
information you may not want to share, so if you have any concerns about
this, you might want to walk through the decodes yourself before sending it.

Robert Graham

PS: About three weeks ago, I posted to our website a request for Unsolicted
Echo Replies sample tracefiles (for unrelated reasons). I received about 60
of them from customers all over the web. None of these contained the exact
signature you describe.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Dave Dittrich
Sent: Thursday, March 16, 2000 6:05 PM
To: INCIDENTS () securityfocus com
Subject: ICMP Echo Reply to 0.0.0.0

Is anyone seeing any unsolicited ICMP Echo Reply packets on your
networks destined to 0.0.0.0?  If so, could you let me know (and trace
packets to/from the system(s) that are sending them)?

--
Dave Dittrich                 Client Services
dittrich () cac washington edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/";>
Dave Dittrich / dittrich () cac washington edu [PGP Key]</a>

PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB  49 A1 0C D0 8E 0C D0 BE  C8 38 CC B5

Current thread:

ICMP Echo Reply to 0.0.0.0 Dave Dittrich (Mar 16)
- Re: ICMP Echo Reply to 0.0.0.0 Robert Graham (Mar 20)