Security Basics mailing list archives
RE: Please help with this strangeness
From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Fri, 16 Jan 2004 10:54:44 -0600
If I understand you, you have a /30 from your ISP. That is the left most 30 bits are the NETWORK portion and the right most 2 are the HOST. This would typically be described as 81.174.224.68/30 The all 0s and all 1s HOSTs are customarily reserved for broadcast usage, giving you two usable static addresses, .69 and .70. You've put your router on .69 (and presumably have your workstation behind it using NATed addresses). OK so far? Then what you're seeing is the router (.69) doing discovery on it's subnet to identify any other devices... ICMP Type 8 is an "ECHO REQUEST", the front half of a ping -- "Are you there?" Pings to the broadcast address are performed to see if ANYONE is there, instead of having to walk through all the possible addresses. You probably want to check your Router documentation and turn off 'auto discovery' -----Burton
-----Original Message----- From: Michael Thompson [mailto:mike () thompsonmike co uk] Sent: Wednesday, January 14, 2004 9:03 PM To: security-basics () securityfocus com Subject: Please help with this strangeness Hi Security-basics, I was going through all my security logs today and I noticed something a little odd, and wonderd if anyone could offer any insight? I am not that good at detailed security! I have a IPBlock assigned from my ISP, where 81.174.224.68 to 81.174.224.70. As I understand it, 68 is a broadcast address, 69 is assigned to the router, 70 is for a server, which I dont use at the present time. Now, in my snort logs, which is connected to the outside of the firewall I get the following logs.. [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.625784 81.174.224.69 -> 81.174.224.70 ICMP TTL:111 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:52213 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.641759 81.174.224.69 -> 81.174.224.68 ICMP TTL:110 TOS:0xA0 ID:45598 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:51701 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.642071 81.174.224.69 -> 81.174.224.70 ICMP TTL:110 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:52213 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.649566 81.174.224.69 -> 81.174.224.71 ICMP TTL:111 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:52469 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.665945 81.174.224.69 -> 81.174.224.71 ICMP TTL:110 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:52469 ECHO [Xref => http://www.whitehats.com/info/IDS154] Now, I thought of welchia or one of its many variants, and all machines are clean, the DHCP records show only one machine on the network connected mostly, thats my machine. It's clean. What could be causing these broadcasts? Any one have any ideas? -- Best regards, Michael (mike () thompsonmike co uk) Join the American Non-Sequitur Society -- we don't make sense, but we do like pizza. http://www.thompsonmike.co.uk/ PGP KeyID := 0xA9547E32 'To see a world in a grain of sand And heaven in a wild flower To hold infinity in the palm of your hand And eternity in an hour' Using TheBat! Version 2.02.3 CE Running On Windows XP (2600, Service Pack 1) Sent From OneAndOne
--------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Please help with this strangeness Michael Thompson (Jan 15)
- RE: Please help with this strangeness David Gillett (Jan 15)
- Re: Please help with this strangeness JGrimshaw (Jan 15)
- Re: **SPAM** Re: Please help with this strangeness Michael Thompson (Jan 16)
- RE: Please help with this strangeness Burton M. Strauss III (Jan 16)
- <Possible follow-ups>
- RE: Please help with this strangeness Shawn Jackson (Jan 15)
- Re[2]: Please help with this strangeness Michael Thompson (Jan 16)