Security Incidents mailing list archives
Type 8 Overload
From: Rooster <rooster () MAREX COM>
Date: Mon, 19 Feb 2001 13:49:37 -0500
List, This has me concerned: 540 packets received between 10:55:48 and 11:05:25. Source IP (64.6.180.88) to a private box ( 10.x.x.x) on our internal subnet. Is it possible these packets could get by our firewall and deliver an echo-reply back to the attacker? What do you see happening here? The source IP belongs to a company called Phoenix Data Systems out of St. Louis. [**] IDS159 - PING Microsoft Windows [**] 02/17-11:32:29.553693 64.6.180.88 -> 192.x.x.x ICMP TTL:127 TOS:0x0 ID:4679 IpLen:20 DgmLen:60 Type:8 Code:0 ID:512 Seq:6400 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ This first packet is the only one I received from this source on this day. The payload has me suspicious. Could this have been crafted by the attacker? The alphabet is what has me leaning in that direction. the Sequence numbers all 256bytes apart. the ID's are the same and never change. 192.x.x.x is a box on our dmz. Any ideas? =+=+=+=+ [**] IDS159 - PING Microsoft Windows [**] 02/18-10:55:48.380987 64.6.180.88 -> 10.x.x.x ICMP TTL:127 TOS:0x0 ID:13787 IpLen:20 DgmLen:60 Type:8 Code:0 ID:512 Seq:3840 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IDS159 - PING Microsoft Windows [**] 02/18-10:55:49.379163 64.6.180.88 -> 10.x.x.x ICMP TTL:127 TOS:0x0 ID:13790 IpLen:20 DgmLen:60 Type:8 Code:0 ID:512 Seq:4096 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IDS159 - PING Microsoft Windows [**] 02/18-10:55:50.380201 64.6.180.88 -> 10.x.x.x ICMP TTL:127 TOS:0x0 ID:13791 IpLen:20 DgmLen:60 Type:8 Code:0 ID:512 Seq:4352 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ These three packets keep coming at a constant rate. Although I am only showing you 3 traces here, I have 540 of them as I mentioned above. This is from my snort sensor. Anyone else see PING Microsoft Windows before? Thank you, Rooster.
Current thread:
- Type 8 Overload Rooster (Feb 19)
- Re: Type 8 Overload John (Feb 19)