Security Incidents mailing list archives
RE: a lot of spoofed traffic for port 8, does anybody recon this?
From: "Guy L. Smith" <gsmith () onesecure com>
Date: Mon, 14 May 2001 19:36:57 -0700
Here's a copy of the ICMP RFC codes: The Internet Control Message Protocol (ICMP) has many messages that are identified by a "type" field. Here's the numbers from RFC-1700. Type Name Reference ---- ------------------------- --------- 0 Echo Reply [RFC792] 1 Unassigned [JBP] 2 Unassigned [JBP] 3 Destination Unreachable [RFC792] 4 Source Quench [RFC792] 5 Redirect [RFC792] 6 Alternate Host Address [JBP] 7 Unassigned [JBP] 8 Echo [RFC792] 9 Router Advertisement [RFC1256] 10 Router Selection [RFC1256] 11 Time Exceeded [RFC792] 12 Parameter Problem [RFC792] 13 Timestamp [RFC792] 14 Timestamp Reply [RFC792] 15 Information Request [RFC792] 16 Information Reply [RFC792] 17 Address Mask Request [RFC950] 18 Address Mask Reply [RFC950] 19 Reserved (for Security) [Solo] 20-29 Reserved (for Robustness Experiment) [ZSu] 30 Traceroute [RFC1393] 31 Datagram Conversion Error [RFC1475] 32 Mobile Host Redirect [David Johnson] 33 IPv6 Where-Are-You [Bill Simpson] 34 IPv6 I-Am-Here [Bill Simpson] 35 Mobile Registration Request [Bill Simpson] 36 Mobile Registration Reply [Bill Simpson] 37-255 Reserved [JBP] -----Original Message----- From: Kevin Pietersma [mailto:kev () attcanada net] Sent: Monday, May 14, 2001 11:54 AM To: Bob Johnson; Mikael Fors Cc: INCIDENTS () SECURITYFOCUS COM Subject: Re: a lot of spoofed traffic for port 8, does anybody recon this? What you are seeing are ICMP codes (ICMP Echo Request; itype: 8; icode: 0). Some one is PINGing you. kev At 10:52 AM 5/14/01 -0400, Bob Johnson wrote:
Don't know if you ever figured this out. The only place I've ever seen
port
8 used is a Telocity DSL modem in a friend's office. The modem queries port 8 on the client system (i.e. the system it is connecting to the Internet) at regular intervals. It also updates DHCP info at regular intervals. I don't know what the modem is looking for, but it seems to work fine if doesn't find anything. In his case the modem has a public IP number, so the probe packets come from that address. - Bob Mikael Fors wrote:Last 24 hours I've been receiving a lot of strange packets on my publicinterface. Log has been sanitized.May 9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29112 F=0x0000 T=126 (#24)May 9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29113 F=0x0000 T=127 (#24)May 9 10:03:39 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29117 F=0x0000 T=127 (#24)May 9 10:04:06 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29177 F=0x0000 T=126 (#24)May 9 10:04:06 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29178 F=0x0000 T=127 (#24)May 9 10:04:09 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29185 F=0x0000 T=127 (#24)May 9 10:04:33 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29235 F=0x0000 T=126 (#24)May 9 10:04:33 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29236 F=0x0000 T=127 (#24)May 9 10:04:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29243 F=0x0000 T=127 (#24)These packets started trickling here about 48 hours ago, and I have noclue what it can be. What resides on port 8 and why ICMP??? All of these packets arrive on the public interface, and contains private networks, mostly 192.168.x.x networks, but also 172.x.x.x networks show up.Mikael Fors Mora Datorer AB-- ********************************************************* Bob Johnson Senior Systems Programmer bob () eng ufl edu College of Engineering 523 Weil Hall 352-392-9217 Office University of Florida 352-392-7063 Fax Gainesville, FL 32611 ********************************************************* "Security is not a product, it's a mentality." . .
Current thread:
- a lot of spoofed traffic for port 8, does anybody recon this? Mikael Fors (May 10)
- Message not available
- Re: a lot of spoofed traffic for port 8, does anybody recon this? Devdas Bhagat (May 14)
- Message not available
- Message not available
- Re: a lot of spoofed traffic for port 8, does anybody recon this? Kevin Pietersma (May 14)
- RE: a lot of spoofed traffic for port 8, does anybody recon this? Guy L. Smith (May 14)
- Re: a lot of spoofed traffic for port 8, does anybody recon this? Kevin Pietersma (May 14)
- <Possible follow-ups>
- Re: a lot of spoofed traffic for port 8, does anybody recon this? Jose Nazario (May 14)