Security Incidents mailing list archives
Re: ICMP Echo Reply to 0.0.0.0
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Mon, 20 Mar 2000 11:14:49 -0800
Note: BlackICE Defender (personal firewall and IDS) detects unsolicited replies. The default behavior is to log these packets in a sniffer tracefile. Therefore, if you get this alert: http://www.networkice.com/advice/intrusions/2000109/ then you may have the event Dave is looking for. Here are some steps to take: 1. first, open the file "attack-list.csv" and verify that the destination is indeed 0.0.0.0 (unfortunately, the current GUI doesn't show the destination field, only the source of the intrusions, but the full info is logged). 2. Look for the file "evdXXXXX.enc", where XXXX is the date when intrusion event was detected. This file should contain some sample packets for this intrusion. 3. E-mail that file to Dave. Note that the file may contain private information you may not want to share, so if you have any concerns about this, you might want to walk through the decodes yourself before sending it. Robert Graham PS: About three weeks ago, I posted to our website a request for Unsolicted Echo Replies sample tracefiles (for unrelated reasons). I received about 60 of them from customers all over the web. None of these contained the exact signature you describe. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Dave Dittrich Sent: Thursday, March 16, 2000 6:05 PM To: INCIDENTS () securityfocus com Subject: ICMP Echo Reply to 0.0.0.0 Is anyone seeing any unsolicited ICMP Echo Reply packets on your networks destined to 0.0.0.0? If so, could you let me know (and trace packets to/from the system(s) that are sending them)? -- Dave Dittrich Client Services dittrich () cac washington edu Computing & Communications University of Washington <a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrich () cac washington edu [PGP Key]</a> PGP 6.5.1 key fingerprint: FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Current thread:
- ICMP Echo Reply to 0.0.0.0 Dave Dittrich (Mar 16)
- Re: ICMP Echo Reply to 0.0.0.0 Robert Graham (Mar 20)