Security Incidents mailing list archives
forged ICMP packets?
From: Kevin Holmquist <kevinh () NETRONIN ORG>
Date: Wed, 21 Feb 2001 17:23:47 -0700
Hi all;
I've been receiving strange ICMP requests from various addresses. They
usually come in groups of three and I think they are forged because the id#
doesn't increment. Is anyone else seeing this kind of traffic?
Also, I tracerouted st-3dns.obongo.com and it was 12-13 hops away, giving a
ttl of 64 (windows?). The ttl for the 10.x.x.x packets is the same, so they
may be coming from the same box. I have contacted my ISP about routing
private addresses; should I also report these to SANS and the owner of
st-3dns.obongo.com?
Thanks!
Kevin
(captured by snort, printed via tcpdump. All times MST)
11:56:13.386546 < 0:10:67:0:30:46 0:10:4b:cd:91:3c ip 98: 10.12.26.1 >
netronin.org: icmp: echo request (ttl 51, id 46080)
4500 0054 b400 0000 3301 ce31 0a0c 1a01
40d9 a091 0800 7d33 b400 0100 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
ab00 943a 8090 0600 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
11:56:13.387280 < 0:10:67:0:30:46 0:10:4b:cd:91:3c ip 98: 10.12.26.1 >
netronin.org: icmp: echo request (ttl 51, id 46080)
4500 0054 b400 0000 3301 ce31 0a0c 1a01
40d9 a091 0800 5b33 b400 0200 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
ab00 943a a190 0600 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
11:56:13.388273 < 0:10:67:0:30:46 0:10:4b:cd:91:3c ip 98: 10.12.26.1 >
netronin.org: icmp: echo request (ttl 51, id 46080)
4500 0054 b400 0000 3301 ce31 0a0c 1a01
40d9 a091 0800 4833 b400 0300 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
ab00 943a b390 0600 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
12:02:40.369089 < 0:10:67:0:30:46 0:10:4b:cd:91:3c ip 98: st-3dns.obongo.com
netronin.org: icmp: echo request (ttl 51, id 42240)
4500 0054 a500 0000 3301 e567 d86d 4369
40d9 a091 0800 2a4e a500 0100 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
d90f 943a b166 0900 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
12:02:40.369257 > 0:10:4b:cd:91:3c 0:10:67:0:30:46 ip 98: netronin.org >
st-3dns.obongo.com: icmp: echo reply (ttl 255, id 10232)
4500 0054 27f8 0000 ff01 966f 40d9 a091
d86d 4369 0000 324e a500 0100 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
d90f 943a b166 0900 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
12:02:40.369820 < 0:10:67:0:30:46 0:10:4b:cd:91:3c ip 98: st-3dns.obongo.com
netronin.org: icmp: echo request (ttl 51, id 42240)
4500 0054 a500 0000 3301 e567 d86d 4369
40d9 a091 0800 134e a500 0200 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
d90f 943a c766 0900 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
12:02:40.369888 > 0:10:4b:cd:91:3c 0:10:67:0:30:46 ip 98: netronin.org >
st-3dns.obongo.com: icmp: echo reply (ttl 255, id 10233)
4500 0054 27f9 0000 ff01 966e 40d9 a091
d86d 4369 0000 1b4e a500 0200 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
d90f 943a c766 0900 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
12:02:40.375987 < 0:10:67:0:30:46 0:10:4b:cd:91:3c ip 98: st-3dns.obongo.com
netronin.org: icmp: echo request (ttl 51, id 42240)
4500 0054 a500 0000 3301 e567 d86d 4369
40d9 a091 0800 074e a500 0300 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
d90f 943a d266 0900 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
12:02:40.376056 > 0:10:4b:cd:91:3c 0:10:67:0:30:46 ip 98: netronin.org >
st-3dns.obongo.com: icmp: echo reply (ttl 255, id 10234)
4500 0054 27fa 0000 ff01 966d 40d9 a091
d86d 4369 0000 0f4e a500 0300 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
d90f 943a d266 0900 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
Current thread:
- forged ICMP packets? Kevin Holmquist (Feb 21)