Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Type 8 Overload

From: Rooster <rooster () MAREX COM>
Date: Mon, 19 Feb 2001 13:49:37 -0500
List,

This has me concerned:

540 packets received between 10:55:48 and 11:05:25. Source IP (64.6.180.88) to a private box ( 10.x.x.x) on our 
internal subnet. Is it possible these packets could get by our firewall and deliver an echo-reply back to the attacker? 
What do you see happening here? The source IP belongs to a company called Phoenix Data Systems out of St. Louis.

[**] IDS159 - PING Microsoft Windows [**]
02/17-11:32:29.553693 64.6.180.88 -> 192.x.x.x
ICMP TTL:127 TOS:0x0 ID:4679 IpLen:20 DgmLen:60
Type:8  Code:0  ID:512   Seq:6400  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


This first packet is the only one I received from this source on this day. The payload has me suspicious. Could this 
have been crafted by the attacker? The alphabet is what has me leaning in that direction. the Sequence numbers all 
256bytes apart. the ID's are the same and never change. 192.x.x.x is a box on our dmz. Any ideas?

=+=+=+=+

[**] IDS159 - PING Microsoft Windows [**]
02/18-10:55:48.380987 64.6.180.88 -> 10.x.x.x
ICMP TTL:127 TOS:0x0 ID:13787 IpLen:20 DgmLen:60
Type:8  Code:0  ID:512   Seq:3840  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS159 - PING Microsoft Windows [**]
02/18-10:55:49.379163 64.6.180.88 -> 10.x.x.x
ICMP TTL:127 TOS:0x0 ID:13790 IpLen:20 DgmLen:60
Type:8  Code:0  ID:512   Seq:4096  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS159 - PING Microsoft Windows [**]
02/18-10:55:50.380201 64.6.180.88 -> 10.x.x.x
ICMP TTL:127 TOS:0x0 ID:13791 IpLen:20 DgmLen:60
Type:8  Code:0  ID:512   Seq:4352  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

These three packets keep coming at a constant rate. Although I am only showing you 3 traces here, I have 540 of them as 
I mentioned above. This is from my snort sensor. Anyone else see PING Microsoft Windows before?


Thank you,

Rooster.
Previous By Date Next
Previous By Thread Next

Current thread: